1 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter.h linux-2.6.0-test7/include/linux/netfilter.h
2 --- linux-2.6.0-test7.org/include/linux/netfilter.h 2003-10-08 21:24:06.000000000 +0200
3 +++ linux-2.6.0-test7/include/linux/netfilter.h 2003-10-10 11:53:17.000000000 +0200
5 <= 0x2000 is used for protocol-flags. */
6 #define NFC_UNKNOWN 0x4000
7 #define NFC_ALTERED 0x8000
8 +#define NFC_TRACE 0x10000
11 #include <linux/config.h>
14 extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
16 +typedef void nf_logfn(unsigned int hooknum,
17 + const struct sk_buff *skb,
18 + const struct net_device *in,
19 + const struct net_device *out,
20 + const char *prefix);
22 +/* Function to register/unregister log function. */
23 +int nf_log_register(int pf, nf_logfn *logfn);
24 +void nf_log_unregister(int pf, nf_logfn *logfn);
26 +/* Calls the registered backend logging function */
27 +void nf_log_packet(int pf,
28 + unsigned int hooknum,
29 + const struct sk_buff *skb,
30 + const struct net_device *in,
31 + const struct net_device *out,
32 + const char *fmt, ...);
34 /* Activate hook; either okfn or kfree_skb called, unless a hook
35 returns NF_STOLEN (in which case, it's up to the hook to deal with
37 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ip_conntrack.h
38 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ip_conntrack.h 2003-10-08 21:24:48.000000000 +0200
39 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ip_conntrack.h 2003-10-10 11:53:17.000000000 +0200
42 extern unsigned int ip_conntrack_htable_size;
44 +/* A fake conntrack entry which never vanishes. */
45 +extern struct ip_conntrack ip_conntrack_untracked;
47 /* eg. PROVIDES_CONNTRACK(ftp); */
48 #define PROVIDES_CONNTRACK(name) \
49 int needs_ip_conntrack_##name; \
50 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ip_tables.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ip_tables.h
51 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ip_tables.h 2003-10-08 21:24:07.000000000 +0200
52 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ip_tables.h 2003-10-10 11:53:17.000000000 +0200
55 unsigned int comefrom;
57 + /* Name of the chain */
60 + /* Rule number in the chain. */
63 /* Packet and byte counters. */
64 struct ipt_counters counters;
66 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_ULOG.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_ULOG.h
67 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_ULOG.h 2003-10-08 21:24:04.000000000 +0200
68 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_ULOG.h 2003-10-10 11:52:57.000000000 +0200
70 #define NETLINK_NFLOG 5
73 +#define NFLOG_DEFAULT_NLGROUP 1
74 +#define NFLOG_DEFAULT_QTHRESHOLD 1
76 #define ULOG_MAC_LEN 80
77 #define ULOG_PREFIX_LEN 32
79 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_conntrack.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_conntrack.h
80 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_conntrack.h 2003-10-08 21:24:26.000000000 +0200
81 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_conntrack.h 2003-10-10 11:53:17.000000000 +0200
84 #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
85 #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
86 +#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
88 /* flags, invflags: */
89 #define IPT_CONNTRACK_STATE 0x01
90 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_sctp.h
91 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_sctp.h 1970-01-01 01:00:00.000000000 +0100
92 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_sctp.h 2003-10-10 11:53:27.000000000 +0200
94 +/* iptables module for matching the SCTP header
96 + * (C) 2003 Harald Welte <laforge@gnumonks.org>
98 + * This software is distributed under GNU GPL v2, 1991
105 +struct ipt_sctp_info {
106 + u_int16_t spts[2]; /* Souce port range */
107 + u_int16_t dpts[2]; /* Destination port range */
108 + u_int32_t chunks; /* chunks to be matched */
109 + u_int32_t chunk_mask; /* chunk mask to be matched */
110 + u_int8_t invflags; /* Inverse flags */
113 +#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */
114 +#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */
115 +#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */
116 +#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */
118 +#endif /* _IPT_SCTP_H */
119 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_state.h linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_state.h
120 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4/ipt_state.h 2003-10-08 21:24:42.000000000 +0200
121 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4/ipt_state.h 2003-10-10 11:53:17.000000000 +0200
123 #define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
124 #define IPT_STATE_INVALID (1 << 0)
126 +#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
128 struct ipt_state_info
130 unsigned int statemask;
131 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv4.h linux-2.6.0-test7/include/linux/netfilter_ipv4.h
132 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv4.h 2003-10-08 21:24:32.000000000 +0200
133 +++ linux-2.6.0-test7/include/linux/netfilter_ipv4.h 2003-10-10 11:53:17.000000000 +0200
136 enum nf_ip_hook_priorities {
137 NF_IP_PRI_FIRST = INT_MIN,
138 + NF_IP_PRI_CONNTRACK_DEFRAG = -400,
139 + NF_IP_PRI_RAW = -300,
140 NF_IP_PRI_CONNTRACK = -200,
141 NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
142 NF_IP_PRI_MANGLE = -150,
143 diff -Nur linux-2.6.0-test7.org/include/linux/netfilter_ipv6/ip6_tables.h linux-2.6.0-test7/include/linux/netfilter_ipv6/ip6_tables.h
144 --- linux-2.6.0-test7.org/include/linux/netfilter_ipv6/ip6_tables.h 2003-10-08 21:24:51.000000000 +0200
145 +++ linux-2.6.0-test7/include/linux/netfilter_ipv6/ip6_tables.h 2003-10-10 11:53:17.000000000 +0200
148 unsigned int comefrom;
150 + /* Name of the chain */
153 + /* Rule number in the chain. */
156 /* Packet and byte counters. */
157 struct ip6t_counters counters;
159 diff -Nur linux-2.6.0-test7.org/net/core/netfilter.c linux-2.6.0-test7/net/core/netfilter.c
160 --- linux-2.6.0-test7.org/net/core/netfilter.c 2003-10-08 21:24:04.000000000 +0200
161 +++ linux-2.6.0-test7/net/core/netfilter.c 2003-10-10 11:52:57.000000000 +0200
164 * February 2000: Modified by James Morris to have 1 queue per protocol.
165 * 15-Mar-2000: Added NF_REPEAT --RR.
166 + * 08-May-2003: Internal logging interface added by Jozsef Kadlecsik.
168 #include <linux/config.h>
169 +#include <linux/kernel.h>
170 #include <linux/netfilter.h>
171 #include <net/protocol.h>
172 #include <linux/init.h>
174 EXPORT_SYMBOL(skb_ip_make_writable);
175 #endif /*CONFIG_INET*/
177 +/* Internal logging interface, which relies on the real
178 + LOG target modules */
180 +#define NF_LOG_PREFIXLEN 128
182 +static nf_logfn *nf_logging[NPROTO]; /* = NULL */
183 +static int reported = 0;
184 +static spinlock_t nf_log_lock = SPIN_LOCK_UNLOCKED;
186 +int nf_log_register(int pf, nf_logfn *logfn)
190 + /* Any setup of logging members must be done before
191 + * substituting pointer. */
193 + spin_lock(&nf_log_lock);
194 + if (!nf_logging[pf]) {
195 + nf_logging[pf] = logfn;
198 + spin_unlock(&nf_log_lock);
202 +void nf_log_unregister(int pf, nf_logfn *logfn)
204 + spin_lock(&nf_log_lock);
205 + if (nf_logging[pf] == logfn)
206 + nf_logging[pf] = NULL;
207 + spin_unlock(&nf_log_lock);
209 + /* Give time to concurrent readers. */
213 +void nf_log_packet(int pf,
214 + unsigned int hooknum,
215 + const struct sk_buff *skb,
216 + const struct net_device *in,
217 + const struct net_device *out,
218 + const char *fmt, ...)
221 + char prefix[NF_LOG_PREFIXLEN];
225 + logfn = nf_logging[pf];
227 + va_start(args, fmt);
228 + vsnprintf(prefix, sizeof(prefix), fmt, args);
230 + /* We must read logging before nf_logfn[pf] */
231 + smp_read_barrier_depends();
232 + logfn(hooknum, skb, in, out, prefix);
233 + } else if (!reported) {
234 + printk(KERN_WARNING "nf_log_packet: can\'t log yet, "
235 + "no backend logging module loaded in!\n");
241 /* This does not belong here, but ipt_REJECT needs it if connection
242 tracking in use: without this, connection may not be in hash table,
243 and hence manufactured ICMP or RST packets will not be associated
245 EXPORT_SYMBOL(nf_unregister_hook);
246 EXPORT_SYMBOL(nf_unregister_queue_handler);
247 EXPORT_SYMBOL(nf_unregister_sockopt);
248 +EXPORT_SYMBOL(nf_log_register);
249 +EXPORT_SYMBOL(nf_log_unregister);
250 +EXPORT_SYMBOL(nf_log_packet);
251 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/Kconfig linux-2.6.0-test7/net/ipv4/netfilter/Kconfig
252 --- linux-2.6.0-test7.org/net/ipv4/netfilter/Kconfig 2003-10-08 21:24:27.000000000 +0200
253 +++ linux-2.6.0-test7/net/ipv4/netfilter/Kconfig 2003-10-10 11:53:27.000000000 +0200
256 To compile it as a module, choose M here. If unsure, say N.
258 +config IP_NF_MATCH_SCTP
259 + tristate "SCTP match support"
260 + depends on IP_NF_IPTABLES
262 + This match allows iptables to match on the SCTP header.
264 + If you want to compile it as a module, say M here and read
265 + <file:Documentation/modules.txt>. If unsure, say `N'.
267 config IP_NF_MATCH_LENGTH
268 tristate "LENGTH match support"
269 depends on IP_NF_IPTABLES
272 To compile it as a module, choose M here. If unsure, say N.
275 + tristate "Raw table"
276 + depends on IP_NF_IPTABLES
278 + This option adds a `raw' table to iptables: see the man page for
279 + iptables(8). This table is the very first in the netfilter
280 + framework and hooks in at the PREROUTING and OUTPUT chains.
281 + The TRACE and NOTRACK targets can be used in this table only.
283 + To compile it as a module, choose M here. If unsure, say N.
285 +config IP_NF_TARGET_TRACE
286 + tristate "TRACE target support"
287 + depends on IP_NF_RAW
289 + The TRACE target allows packets to be traced as those matches
290 + any subsequent rule in any table/rule. The matched rule and
291 + the packet is logged with the prefix
293 + TRACE: tablename/chainname/rulenum
295 + if the ipt_LOG or ipt_ULOG targets are loaded in.
297 + To compile it as a module, choose M here. If unsure, say N.
299 +config IP_NF_TARGET_NOTRACK
300 + tristate "NOTRACK target support"
301 + depends on IP_NF_RAW
303 + The NOTRACK target allows a select rule to specify which
304 + packets *not* to enter the conntrack/NAT subsystems
305 + with all the consequences (no ICMP error tracking,
306 + no protocol helpers for the selected packets).
308 + To compile it as a module, choose M here. If unsure, say N.
310 config IP_NF_ARPTABLES
311 tristate "ARP tables support"
313 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/Makefile linux-2.6.0-test7/net/ipv4/netfilter/Makefile
314 --- linux-2.6.0-test7.org/net/ipv4/netfilter/Makefile 2003-10-08 21:24:02.000000000 +0200
315 +++ linux-2.6.0-test7/net/ipv4/netfilter/Makefile 2003-10-10 11:53:27.000000000 +0200
318 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
320 -# the three instances of ip_tables
321 +# the four instances of ip_tables
322 obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
323 obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
324 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
325 +obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
328 +obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
329 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
330 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
331 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
333 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
334 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
335 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
336 +obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o
337 +obj-$(CONFIG_IP_NF_TARGET_TRACE) += ipt_TRACE.o
340 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
341 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_amanda.c linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_amanda.c
342 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_amanda.c 2003-10-08 21:24:17.000000000 +0200
343 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_amanda.c 2003-10-10 11:52:23.000000000 +0200
345 PROVIDES_CONNTRACK(amanda);
346 EXPORT_SYMBOL(ip_amanda_lock);
348 +EXPORT_SYMBOL(ip_amanda_lock);
352 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_core.c
353 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_core.c 2003-10-08 21:24:00.000000000 +0200
354 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_core.c 2003-10-10 11:53:17.000000000 +0200
356 #include <linux/slab.h>
357 #include <linux/random.h>
358 #include <linux/jhash.h>
359 -/* For ERR_PTR(). Yeah, I know... --RR */
360 -#include <linux/fs.h>
361 +#include <linux/err.h>
363 /* This rwlock protects the main hash table, protocol/helper/expected
364 registrations, conntrack timers*/
366 static atomic_t ip_conntrack_count = ATOMIC_INIT(0);
367 struct list_head *ip_conntrack_hash;
368 static kmem_cache_t *ip_conntrack_cachep;
369 +struct ip_conntrack ip_conntrack_untracked;
371 extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
373 @@ -808,18 +808,10 @@
377 - /* Previously seen (loopback)? Ignore. Do this before
379 + /* Previously seen (loopback or untracked)? Ignore. */
383 - /* Gather fragments. */
384 - if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
385 - *pskb = ip_ct_gather_frags(*pskb);
390 proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
392 /* It may be an icmp error... */
395 } else if (related_to->helper->max_expected &&
396 related_to->expecting >= related_to->helper->max_expected) {
397 - struct list_head *cur_item;
399 if (!(related_to->helper->flags &
400 IP_CT_HELPER_F_REUSE_EXPECT)) {
401 @@ -978,21 +969,14 @@
402 NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
404 /* choose the the oldest expectation to evict */
405 - list_for_each(cur_item, &related_to->sibling_list) {
406 - struct ip_conntrack_expect *cur;
408 - cur = list_entry(cur_item,
409 - struct ip_conntrack_expect,
411 - if (cur->sibling == NULL) {
413 + list_for_each_entry(old, &related_to->sibling_list,
415 + if (old->sibling == NULL)
420 - /* (!old) cannot happen, since related_to->expecting is the
421 - * number of unconfirmed expects */
423 + /* We cannot fail since related_to->expecting is the number
424 + * of unconfirmed expectations */
425 + IP_NF_ASSERT(old && old->sibling == NULL);
427 /* newnat14 does not reuse the real allocated memory
428 * structures but rather unexpects the old and
429 @@ -1024,7 +1008,7 @@
430 atomic_set(&new->use, 1);
432 /* add to expected list for this connection */
433 - list_add(&new->expected_list, &related_to->sibling_list);
434 + list_add_tail(&new->expected_list, &related_to->sibling_list);
435 /* add to global list of expectations */
436 list_prepend(&ip_conntrack_expect_list, &new->list);
437 /* add and start timer if required */
438 @@ -1419,6 +1403,15 @@
440 /* For use by ipt_REJECT */
441 ip_ct_attach = ip_conntrack_attach;
443 + /* Set up fake conntrack:
444 + - to never be deleted, not in any hashes */
445 + atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
446 + /* - and look it like as a confirmed connection */
447 + set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
448 + /* - and prepare the ctinfo field for NAT. */
449 + ip_conntrack_untracked.infos[IP_CT_NEW].master = &ip_conntrack_untracked.ct_general;
454 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_standalone.c
455 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-10-08 21:24:04.000000000 +0200
456 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-10-10 11:53:17.000000000 +0200
458 return ip_conntrack_confirm(*pskb);
461 +static unsigned int ip_conntrack_defrag(unsigned int hooknum,
462 + struct sk_buff **pskb,
463 + const struct net_device *in,
464 + const struct net_device *out,
465 + int (*okfn)(struct sk_buff *))
467 + /* Previously seen (loopback)? Ignore. Do this before
472 + /* Gather fragments. */
473 + if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
474 + *pskb = ip_ct_gather_frags(*pskb);
481 static unsigned int ip_refrag(unsigned int hooknum,
482 struct sk_buff **pskb,
483 const struct net_device *in,
485 return ip_conntrack_in(hooknum, pskb, in, out, okfn);
488 +/* At the very first: defragment */
489 +static struct nf_hook_ops ip_conntrack_defrag_ops = {
490 + .hook = ip_conntrack_defrag,
491 + .owner = THIS_MODULE,
493 + .hooknum = NF_IP_PRE_ROUTING,
494 + .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
497 /* Connection tracking may drop packets, but never alters them, so
498 make it the first hook. */
499 static struct nf_hook_ops ip_conntrack_in_ops = {
500 @@ -367,10 +396,15 @@
501 if (!proc) goto cleanup_init;
502 proc->owner = THIS_MODULE;
504 + ret = nf_register_hook(&ip_conntrack_defrag_ops);
506 + printk("ip_conntrack: can't register pre-routing hook to defrag.\n");
509 ret = nf_register_hook(&ip_conntrack_in_ops);
511 printk("ip_conntrack: can't register pre-routing hook.\n");
513 + goto cleanup_defragops;
515 ret = nf_register_hook(&ip_conntrack_local_out_ops);
518 nf_unregister_hook(&ip_conntrack_local_out_ops);
520 nf_unregister_hook(&ip_conntrack_in_ops);
522 + nf_unregister_hook(&ip_conntrack_defrag_ops);
524 proc_net_remove("ip_conntrack");
527 EXPORT_SYMBOL(ip_conntrack_expect_list);
528 EXPORT_SYMBOL(ip_conntrack_lock);
529 EXPORT_SYMBOL(ip_conntrack_hash);
530 +EXPORT_SYMBOL(ip_conntrack_untracked);
531 EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
532 EXPORT_SYMBOL_GPL(ip_conntrack_put);
533 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_tftp.c
534 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-10-08 21:24:03.000000000 +0200
535 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-10-10 11:52:47.000000000 +0200
538 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
539 /* Create helper structure */
540 - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
542 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
543 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
544 tftp[i].mask.dst.protonum = 0xFFFF;
545 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_amanda.c linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_amanda.c
546 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_amanda.c 2003-10-08 21:24:02.000000000 +0200
547 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_amanda.c 2003-10-10 11:52:47.000000000 +0200
549 struct ip_nat_helper *hlpr;
551 hlpr = &ip_nat_amanda_helper;
552 - memset(hlpr, 0, sizeof(struct ip_nat_helper));
554 hlpr->tuple.dst.protonum = IPPROTO_UDP;
555 hlpr->tuple.src.u.udp.port = htons(10080);
556 hlpr->mask.src.u.udp.port = 0xFFFF;
557 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_core.c linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_core.c
558 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_core.c 2003-10-08 21:24:02.000000000 +0200
559 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_core.c 2003-10-10 11:53:17.000000000 +0200
562 /* Have to grab read lock before sibling_list traversal */
563 READ_LOCK(&ip_conntrack_lock);
564 - list_for_each(cur_item, &ct->sibling_list) {
565 + list_for_each_prev(cur_item, &ct->sibling_list) {
566 exp = list_entry(cur_item, struct ip_conntrack_expect,
569 @@ -1009,7 +1009,11 @@
570 /* FIXME: Man, this is a hack. <SIGH> */
571 IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
572 ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
575 + /* Initialize fake conntrack so that NAT will skip it */
576 + ip_conntrack_untracked.nat.info.initialized |=
577 + (1 << IP_NAT_MANIP_SRC) | (1 << IP_NAT_MANIP_DST);
582 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_rule.c linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_rule.c
583 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_rule.c 2003-10-08 21:24:04.000000000 +0200
584 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_rule.c 2003-10-10 11:53:17.000000000 +0200
587 sizeof(struct ipt_entry),
588 sizeof(struct ipt_standard),
589 - 0, { 0, 0 }, { } },
590 + 0, NULL, 0, { 0, 0 }, { } },
591 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
596 sizeof(struct ipt_entry),
597 sizeof(struct ipt_standard),
598 - 0, { 0, 0 }, { } },
599 + 0, NULL, 0, { 0, 0 }, { } },
600 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
605 sizeof(struct ipt_entry),
606 sizeof(struct ipt_standard),
607 - 0, { 0, 0 }, { } },
608 + 0, NULL, 0, { 0, 0 }, { } },
609 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
614 sizeof(struct ipt_entry),
615 sizeof(struct ipt_error),
616 - 0, { 0, 0 }, { } },
617 + 0, NULL, 0, { 0, 0 }, { } },
618 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
621 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_tftp.c linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_tftp.c
622 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_nat_tftp.c 2003-10-08 21:24:03.000000000 +0200
623 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_nat_tftp.c 2003-10-10 11:52:47.000000000 +0200
625 ports[0] = TFTP_PORT;
627 for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
628 - memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
630 tftp[i].tuple.dst.protonum = IPPROTO_UDP;
631 tftp[i].tuple.src.u.udp.port = htons(ports[i]);
632 tftp[i].mask.dst.protonum = 0xFFFF;
633 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ip_tables.c linux-2.6.0-test7/net/ipv4/netfilter/ip_tables.c
634 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ip_tables.c 2003-10-08 21:24:02.000000000 +0200
635 +++ linux-2.6.0-test7/net/ipv4/netfilter/ip_tables.c 2003-10-10 11:53:17.000000000 +0200
637 #include <linux/config.h>
638 #include <linux/cache.h>
639 #include <linux/skbuff.h>
640 +#include <linux/socket.h>
641 #include <linux/kmod.h>
642 #include <linux/vmalloc.h>
643 #include <linux/netdevice.h>
645 #include <asm/semaphore.h>
646 #include <linux/proc_fs.h>
648 +#include <linux/netfilter.h>
649 #include <linux/netfilter_ipv4/ip_tables.h>
651 +static const char *hooknames[] = {
652 + [NF_IP_PRE_ROUTING] "PREROUTING",
653 + [NF_IP_LOCAL_IN] "INPUT",
654 + [NF_IP_FORWARD] "FORWARD",
655 + [NF_IP_LOCAL_OUT] "OUTPUT",
656 + [NF_IP_POST_ROUTING] "POSTROUTING",
659 MODULE_LICENSE("GPL");
660 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
661 MODULE_DESCRIPTION("IPv4 packet filter");
664 t = ipt_get_target(e);
665 IP_NF_ASSERT(t->u.kernel.target);
667 + /* The packet traced and the rule isn't an unconditional return/END. */
668 + if (((*pskb)->nfcache & NFC_TRACE) && e->rulenum) {
669 + nf_log_packet(AF_INET, hook, *pskb, in, out, "TRACE: %s/%s/%u ",
670 + table->name, e->chainname, e->rulenum);
672 /* Standard target? */
673 if (!t->u.kernel.target->target) {
676 return find_inlist_lock(&ipt_target, name, "ipt_", error, mutex);
680 +find_error_target(struct ipt_entry *s,
681 + struct ipt_entry *e,
684 + struct ipt_entry_target *t;
685 + static struct ipt_entry *found = NULL;
690 + t = ipt_get_target(found);
691 + if (strcmp(t->u.user.name,
692 + IPT_ERROR_TARGET) == 0) {
693 + *chainname = t->data;
702 /* All zeroes == unconditional rule. */
704 unconditional(const struct ipt_ip *ip)
706 mark_source_chains(struct ipt_table_info *newinfo, unsigned int valid_hooks)
709 + char *chainname = NULL;
712 /* No recursion; use packet counter to save back ptrs (reset
713 to 0 as we leave), and comefrom to save source hook bitmask */
716 /* Set initial back pointer. */
717 e->counters.pcnt = pos;
719 + chainname = (char *) hooknames[hook];
722 struct ipt_standard_target *t
726 |= ((1 << hook) | (1 << NF_IP_NUMHOOKS));
727 + e->rulenum = rulenum++;
728 + e->chainname = chainname;
730 /* Unconditional return/END. */
731 if (e->target_offset == sizeof(struct ipt_entry)
733 && unconditional(&e->ip)) {
734 unsigned int oldpos, size;
736 + /* Set unconditional rulenum to zero. */
738 + e->counters.bcnt = 0;
740 /* Return: backtrack through the last
744 (newinfo->entries + pos);
745 } while (oldpos == pos + e->next_offset);
747 + /* Restore chainname, rulenum. */
748 + chainname = e->chainname;
749 + rulenum = e->counters.bcnt;
750 + e->counters.bcnt = 0;
753 size = e->next_offset;
754 e = (struct ipt_entry *)
756 /* This a jump; chase it. */
757 duprintf("Jump rule %u -> %u\n",
759 + e->counters.bcnt = rulenum++;
761 + e = (struct ipt_entry *)
762 + (newinfo->entries + newpos);
763 + if (IPT_ENTRY_ITERATE(newinfo->entries,
766 + e, &chainname) == 0) {
767 + printk("ip_tables: table screwed up!\n");
771 /* ... this is a fallthru */
772 newpos = pos + e->next_offset;
773 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_LOG.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_LOG.c
774 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_LOG.c 2003-10-08 21:24:43.000000000 +0200
775 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_LOG.c 2003-10-10 11:52:57.000000000 +0200
777 #include <linux/module.h>
778 #include <linux/spinlock.h>
779 #include <linux/skbuff.h>
780 +#include <linux/socket.h>
781 #include <linux/ip.h>
782 #include <net/icmp.h>
785 #include <net/route.h>
787 +#include <linux/netfilter.h>
788 #include <linux/netfilter_ipv4/ip_tables.h>
789 #include <linux/netfilter_ipv4/ipt_LOG.h>
792 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
793 MODULE_DESCRIPTION("iptables syslog logging module");
795 +static unsigned int nflog = 1;
796 +MODULE_PARM(nflog, "i");
797 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
800 #define DEBUGP printk
802 @@ -315,28 +321,25 @@
803 /* maxlen = 230+ 91 + 230 + 252 = 803 */
807 -ipt_log_target(struct sk_buff **pskb,
809 +ipt_log_packet(unsigned int hooknum,
810 + const struct sk_buff *skb,
811 const struct net_device *in,
812 const struct net_device *out,
813 - unsigned int hooknum,
814 - const void *targinfo,
816 + const struct ipt_log_info *loginfo,
817 + const char *level_string,
818 + const char *prefix)
820 - const struct ipt_log_info *loginfo = targinfo;
821 - char level_string[4] = "< >";
823 - level_string[1] = '0' + (loginfo->level % 8);
824 spin_lock_bh(&log_lock);
825 printk(level_string);
826 printk("%sIN=%s OUT=%s ",
828 + prefix == NULL ? loginfo->prefix : prefix,
830 out ? out->name : "");
831 #ifdef CONFIG_BRIDGE_NETFILTER
832 - if ((*pskb)->nf_bridge) {
833 - struct net_device *physindev = (*pskb)->nf_bridge->physindev;
834 - struct net_device *physoutdev = (*pskb)->nf_bridge->physoutdev;
835 + if (skb->nf_bridge) {
836 + struct net_device *physindev = skb->nf_bridge->physindev;
837 + struct net_device *physoutdev = skb->nf_bridge->physoutdev;
839 if (physindev && in != physindev)
840 printk("PHYSIN=%s ", physindev->name);
841 @@ -348,25 +351,56 @@
843 /* MAC logging for input chain only. */
845 - if ((*pskb)->dev && (*pskb)->dev->hard_header_len
846 - && (*pskb)->mac.raw != (void*)(*pskb)->nh.iph) {
847 + if (skb->dev && skb->dev->hard_header_len
848 + && skb->mac.raw != (void*)skb->nh.iph) {
850 - unsigned char *p = (*pskb)->mac.raw;
851 - for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
852 + unsigned char *p = skb->mac.raw;
853 + for (i = 0; i < skb->dev->hard_header_len; i++,p++)
855 - i==(*pskb)->dev->hard_header_len - 1
856 + i==skb->dev->hard_header_len - 1
862 - dump_packet(loginfo, *pskb, 0);
863 + dump_packet(loginfo, skb, 0);
865 spin_unlock_bh(&log_lock);
869 +ipt_log_target(struct sk_buff **pskb,
870 + const struct net_device *in,
871 + const struct net_device *out,
872 + unsigned int hooknum,
873 + const void *targinfo,
876 + const struct ipt_log_info *loginfo = targinfo;
877 + char level_string[4] = "< >";
879 + level_string[1] = '0' + (loginfo->level % 8);
880 + ipt_log_packet(hooknum, *pskb, in, out, loginfo, level_string, NULL);
886 +ipt_logfn(unsigned int hooknum,
887 + const struct sk_buff *skb,
888 + const struct net_device *in,
889 + const struct net_device *out,
890 + const char *prefix)
892 + struct ipt_log_info loginfo = {
894 + .logflags = IPT_LOG_MASK,
898 + ipt_log_packet(hooknum, skb, in, out, &loginfo, KERN_WARNING, prefix);
901 static int ipt_log_checkentry(const char *tablename,
902 const struct ipt_entry *e,
904 @@ -406,12 +440,17 @@
906 if (ipt_register_target(&ipt_log_reg))
909 + nf_log_register(PF_INET, &ipt_logfn);
914 static void __exit fini(void)
917 + nf_log_unregister(PF_INET, &ipt_logfn);
919 ipt_unregister_target(&ipt_log_reg);
922 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_NOTRACK.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_NOTRACK.c
923 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_NOTRACK.c 1970-01-01 01:00:00.000000000 +0100
924 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_NOTRACK.c 2003-10-10 11:53:17.000000000 +0200
926 +/* This is a module which is used for setting up fake conntracks
927 + * on packets so that they are not seen by the conntrack/NAT code.
929 +#include <linux/module.h>
930 +#include <linux/skbuff.h>
932 +#include <linux/netfilter_ipv4/ip_tables.h>
933 +#include <linux/netfilter_ipv4/ip_conntrack.h>
936 +target(struct sk_buff **pskb,
937 + const struct net_device *in,
938 + const struct net_device *out,
939 + unsigned int hooknum,
940 + const void *targinfo,
943 + /* Previously seen (loopback)? Ignore. */
944 + if ((*pskb)->nfct != NULL)
945 + return IPT_CONTINUE;
947 + /* Attach fake conntrack entry.
948 + If there is a real ct entry correspondig to this packet,
949 + it'll hang aroun till timing out. We don't deal with it
950 + for performance reasons. JK */
951 + (*pskb)->nfct = &ip_conntrack_untracked.infos[IP_CT_NEW];
952 + nf_conntrack_get((*pskb)->nfct);
954 + return IPT_CONTINUE;
958 +checkentry(const char *tablename,
959 + const struct ipt_entry *e,
961 + unsigned int targinfosize,
962 + unsigned int hook_mask)
964 + if (targinfosize != 0) {
965 + printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
970 + if (strcmp(tablename, "raw") != 0) {
971 + printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
978 +static struct ipt_target ipt_notrack_reg = {
981 + .checkentry = checkentry,
986 +static int __init init(void)
988 + if (ipt_register_target(&ipt_notrack_reg))
994 +static void __exit fini(void)
996 + ipt_unregister_target(&ipt_notrack_reg);
1002 +MODULE_LICENSE("GPL");
1003 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1004 +MODULE_DESCRIPTION("IPv4 NOTRACK target");
1005 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_TRACE.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_TRACE.c
1006 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_TRACE.c 1970-01-01 01:00:00.000000000 +0100
1007 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_TRACE.c 2003-10-10 11:53:17.000000000 +0200
1009 +/* This is a module which is used for setting
1010 + * the NFC_TRACE flag in the nfcache field of an skb.
1012 +#include <linux/module.h>
1013 +#include <linux/skbuff.h>
1015 +#include <linux/netfilter_ipv4/ip_tables.h>
1017 +static unsigned int
1018 +target(struct sk_buff **pskb,
1019 + const struct net_device *in,
1020 + const struct net_device *out,
1021 + unsigned int hooknum,
1022 + const void *targinfo,
1025 + (*pskb)->nfcache |= NFC_TRACE;
1026 + return IPT_CONTINUE;
1030 +checkentry(const char *tablename,
1031 + const struct ipt_entry *e,
1033 + unsigned int targinfosize,
1034 + unsigned int hook_mask)
1036 + if (targinfosize != 0) {
1037 + printk(KERN_WARNING "TRACE: targinfosize %u != 0\n",
1042 + if (strcmp(tablename, "raw") != 0) {
1043 + printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename);
1050 +static struct ipt_target ipt_trace_reg = {
1053 + .checkentry = checkentry,
1055 + .me = THIS_MODULE,
1058 +static int __init init(void)
1060 + if (ipt_register_target(&ipt_trace_reg))
1066 +static void __exit fini(void)
1068 + ipt_unregister_target(&ipt_trace_reg);
1073 +MODULE_LICENSE("GPL");
1074 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1075 +MODULE_DESCRIPTION("IPv4 TRACE target");
1076 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_ULOG.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_ULOG.c
1077 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_ULOG.c 2003-10-08 21:24:03.000000000 +0200
1078 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_ULOG.c 2003-10-10 11:52:57.000000000 +0200
1080 #include <linux/netlink.h>
1081 #include <linux/netdevice.h>
1082 #include <linux/mm.h>
1083 +#include <linux/netfilter.h>
1084 #include <linux/netfilter_ipv4/ip_tables.h>
1085 #include <linux/netfilter_ipv4/ipt_ULOG.h>
1086 #include <linux/netfilter_ipv4/lockhelp.h>
1088 MODULE_PARM(flushtimeout, "i");
1089 MODULE_PARM_DESC(flushtimeout, "buffer flush timeout");
1091 +static unsigned int nflog = 1;
1092 +MODULE_PARM(nflog, "i");
1093 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
1095 /* global data structures */
1098 @@ -152,17 +157,17 @@
1102 -static unsigned int ipt_ulog_target(struct sk_buff **pskb,
1103 - const struct net_device *in,
1104 - const struct net_device *out,
1105 - unsigned int hooknum,
1106 - const void *targinfo, void *userinfo)
1107 +static void ipt_ulog_packet(unsigned int hooknum,
1108 + const struct sk_buff *skb,
1109 + const struct net_device *in,
1110 + const struct net_device *out,
1111 + const struct ipt_ulog_info *loginfo,
1112 + const char *prefix)
1115 ulog_packet_msg_t *pm;
1116 size_t size, copy_len;
1117 struct nlmsghdr *nlh;
1118 - struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
1120 /* ffs == find first bit set, necessary because userspace
1121 * is already shifting groupnumber, but we need unshifted.
1124 /* calculate the size of the skb needed */
1125 if ((loginfo->copy_range == 0) ||
1126 - (loginfo->copy_range > (*pskb)->len)) {
1127 - copy_len = (*pskb)->len;
1128 + (loginfo->copy_range > skb->len)) {
1129 + copy_len = skb->len;
1131 copy_len = loginfo->copy_range;
1133 @@ -209,19 +214,21 @@
1135 /* copy hook, prefix, timestamp, payload, etc. */
1136 pm->data_len = copy_len;
1137 - pm->timestamp_sec = (*pskb)->stamp.tv_sec;
1138 - pm->timestamp_usec = (*pskb)->stamp.tv_usec;
1139 - pm->mark = (*pskb)->nfmark;
1140 + pm->timestamp_sec = skb->stamp.tv_sec;
1141 + pm->timestamp_usec = skb->stamp.tv_usec;
1142 + pm->mark = skb->nfmark;
1144 - if (loginfo->prefix[0] != '\0')
1145 + if (prefix != NULL)
1146 + strncpy(pm->prefix, prefix, sizeof(pm->prefix));
1147 + else if (loginfo->prefix[0] != '\0')
1148 strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
1150 *(pm->prefix) = '\0';
1152 if (in && in->hard_header_len > 0
1153 - && (*pskb)->mac.raw != (void *) (*pskb)->nh.iph
1154 + && skb->mac.raw != (void *) skb->nh.iph
1155 && in->hard_header_len <= ULOG_MAC_LEN) {
1156 - memcpy(pm->mac, (*pskb)->mac.raw, in->hard_header_len);
1157 + memcpy(pm->mac, skb->mac.raw, in->hard_header_len);
1158 pm->mac_len = in->hard_header_len;
1163 pm->outdev_name[0] = '\0';
1165 - /* copy_len <= (*pskb)->len, so can't fail. */
1166 - if (skb_copy_bits(*pskb, 0, pm->payload, copy_len) < 0)
1167 + /* copy_len <= skb->len, so can't fail. */
1168 + if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
1171 /* check if we are building multi-part messages */
1174 UNLOCK_BH(&ulog_lock);
1176 - return IPT_CONTINUE;
1181 PRINTR("ipt_ULOG: error during NLMSG_PUT\n");
1182 @@ -271,8 +277,35 @@
1183 PRINTR("ipt_ULOG: Error building netlink message\n");
1185 UNLOCK_BH(&ulog_lock);
1188 +static unsigned int ipt_ulog_target(struct sk_buff **pskb,
1189 + const struct net_device *in,
1190 + const struct net_device *out,
1191 + unsigned int hooknum,
1192 + const void *targinfo, void *userinfo)
1194 + struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
1196 - return IPT_CONTINUE;
1197 + ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
1199 + return IPT_CONTINUE;
1202 +static void ipt_logfn(unsigned int hooknum,
1203 + const struct sk_buff *skb,
1204 + const struct net_device *in,
1205 + const struct net_device *out,
1206 + const char *prefix)
1208 + struct ipt_ulog_info loginfo = {
1209 + .nl_group = NFLOG_DEFAULT_NLGROUP,
1211 + .qthreshold = NFLOG_DEFAULT_QTHRESHOLD,
1215 + ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
1218 static int ipt_ulog_checkentry(const char *tablename,
1224 + nf_log_register(PF_INET, &ipt_logfn);
1231 DEBUGP("ipt_ULOG: cleanup_module\n");
1234 + nf_log_unregister(PF_INET, &ipt_logfn);
1236 ipt_unregister_target(&ipt_ulog_reg);
1237 sock_release(nflognl->sk_socket);
1239 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_conntrack.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_conntrack.c
1240 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_conntrack.c 2003-10-08 21:24:44.000000000 +0200
1241 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_conntrack.c 2003-10-10 11:53:17.000000000 +0200
1244 #define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
1247 + if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
1248 + statebit = IPT_CONNTRACK_STATE_UNTRACKED;
1250 statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
1252 statebit = IPT_CONNTRACK_STATE_INVALID;
1253 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_sctp.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_sctp.c
1254 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_sctp.c 1970-01-01 01:00:00.000000000 +0100
1255 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_sctp.c 2003-10-10 11:53:27.000000000 +0200
1257 +/* IP tables module for matching the SCTP header
1259 + * $ipt_sctp.c,v 1.3 2002/05/29 15:09:00 laforge Exp$
1261 + * (C) 2003 by Harald Welte <laforge@gnumonks.org>
1263 + * This software is distributed under the terms GNU GPL v2
1266 +#include <linux/module.h>
1267 +#include <linux/skbuff.h>
1268 +#include <linux/sctp.h>
1270 +#include <linux/netfilter_ipv4/ip_tables.h>
1271 +#include <linux/netfilter_ipv4/ipt_sctp.h>
1273 +MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
1274 +MODULE_DESCRIPTION("IP tables SCTP matching module");
1275 +MODULE_LICENSE("GPL");
1277 +/* Returns 1 if the port is matched by the range, 0 otherwise */
1279 +port_match(u_int16_t min, u_int16_t max, u_int16_t port, int invert)
1283 + ret = (port >= min && port <= max) ^ invert;
1287 +static int chunk_match(const struct sk_buff *skb, u_int32_t chunks, u_int32_t chunk_mask)
1289 + sctp_chunkhdr_t *ch = (sctp_chunkhdr_t *) skb->data;
1291 + u_int32_t chunks_present = 0;
1295 + ch_end = ((u_int8_t *) ch) + WORD_ROUND(ntohs(ch->length));
1297 + if (ch->type < 32)
1298 + chunks_present |= (1 << ch_type);
1299 + else if (ch->type == SCTP_CID_ASCONF)
1300 + chunks_present |= (1 << 31);
1301 + else if (ch->type == SCTP_CID_ASCONF_ACK)
1302 + chunks_present |= (1 << 30);
1304 + ch = (sctp_chunkhdr_t *) ch_end;
1305 + } while (ch_end < skb->tail);
1307 + return ((chunks_present& chunk_mask) == chunks);
1310 +static int match(const struct sk_buff *skb, const struct net_device *in,
1311 + const struct net_device *out, const void *matchinfo,
1312 + int offset, const void *hdr, u_int16_t datalen,
1315 + const struct ipt_sctp_info *info = matchinfo;
1316 + const struct iphdr *iph = skb->nh.iph;
1317 + const struct sctphdr *sh = (struct sctphdr *) skb->h.raw;
1319 + if (iph->protocol != IPPROTO_SCTP)
1322 + if (offset == 1) {
1323 + duprintf("Dropping evil SCTP offset=1 frag.\n");
1326 + } else if (offset == 0 && datalen < sizeof(struct sctphdr)) {
1327 + /* We've been askd o examine this packet, and we can't.
1328 + * Hence, no choice but to drop. */
1329 + duprintf("Dropping evil SCTP offset=0 tinygram.\n");
1335 + && port_match(info->spts[0], info->spts[1],
1336 + ntohs(sh->source),
1337 + !!(info->invflags & IPT_SCTP_INV_SRCPT))
1338 + && port_match(info->dpts[0], info->dpts[1],
1340 + !!(info->invflags & IPT_SCTP_INV_DSTPT))
1341 + && chunk_match(skb, info->chunks, info->chunk_mask)
1345 +static int checkentry(const char *tablename, const struct ipt_ip *ip,
1346 + void *matchinfo, unsigned int matchsize,
1347 + unsigned int hook_mask)
1349 + const struct ipt_sctp_info *info = matchinfo;
1351 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_sctp_info)))
1354 + if (ip->proto != IPPROTO_SCTP && !(ip->invflags & IPT_INV_PROTO))
1357 + if !(info->invflags & ~IPT_SCTP_INV_MASK)
1363 +static struct ipt_match sctp_match = {
1366 + .checkentry = &checkentry,
1367 + .me = THIS_MODULE,
1370 +static int __init init(void)
1372 + return ipt_register_match(&sctp_match);
1375 +static void __exit fini(void)
1377 + ipt_unregister_match(&sctp_match);
1382 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_state.c linux-2.6.0-test7/net/ipv4/netfilter/ipt_state.c
1383 --- linux-2.6.0-test7.org/net/ipv4/netfilter/ipt_state.c 2003-10-08 21:24:53.000000000 +0200
1384 +++ linux-2.6.0-test7/net/ipv4/netfilter/ipt_state.c 2003-10-10 11:53:17.000000000 +0200
1386 enum ip_conntrack_info ctinfo;
1387 unsigned int statebit;
1389 - if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
1390 - statebit = IPT_STATE_INVALID;
1392 + if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
1393 + statebit = IPT_STATE_UNTRACKED;
1394 + else if (ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
1395 statebit = IPT_STATE_BIT(ctinfo);
1397 + statebit = IPT_STATE_INVALID;
1399 return (sinfo->statemask & statebit);
1401 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_filter.c linux-2.6.0-test7/net/ipv4/netfilter/iptable_filter.c
1402 --- linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_filter.c 2003-10-08 21:24:04.000000000 +0200
1403 +++ linux-2.6.0-test7/net/ipv4/netfilter/iptable_filter.c 2003-10-10 11:53:17.000000000 +0200
1406 sizeof(struct ipt_entry),
1407 sizeof(struct ipt_standard),
1408 - 0, { 0, 0 }, { } },
1409 + 0, NULL, 0, { 0, 0 }, { } },
1410 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1415 sizeof(struct ipt_entry),
1416 sizeof(struct ipt_standard),
1417 - 0, { 0, 0 }, { } },
1418 + 0, NULL, 0, { 0, 0 }, { } },
1419 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1424 sizeof(struct ipt_entry),
1425 sizeof(struct ipt_standard),
1426 - 0, { 0, 0 }, { } },
1427 + 0, NULL, 0, { 0, 0 }, { } },
1428 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1433 sizeof(struct ipt_entry),
1434 sizeof(struct ipt_error),
1435 - 0, { 0, 0 }, { } },
1436 + 0, NULL, 0, { 0, 0 }, { } },
1437 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1440 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_mangle.c linux-2.6.0-test7/net/ipv4/netfilter/iptable_mangle.c
1441 --- linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_mangle.c 2003-10-08 21:24:43.000000000 +0200
1442 +++ linux-2.6.0-test7/net/ipv4/netfilter/iptable_mangle.c 2003-10-10 11:53:17.000000000 +0200
1445 sizeof(struct ipt_entry),
1446 sizeof(struct ipt_standard),
1447 - 0, { 0, 0 }, { } },
1448 + 0, NULL, 0, { 0, 0 }, { } },
1449 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1454 sizeof(struct ipt_entry),
1455 sizeof(struct ipt_standard),
1456 - 0, { 0, 0 }, { } },
1457 + 0, NULL, 0, { 0, 0 }, { } },
1458 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1463 sizeof(struct ipt_entry),
1464 sizeof(struct ipt_standard),
1465 - 0, { 0, 0 }, { } },
1466 + 0, NULL, 0, { 0, 0 }, { } },
1467 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1472 sizeof(struct ipt_entry),
1473 sizeof(struct ipt_standard),
1474 - 0, { 0, 0 }, { } },
1475 + 0, NULL, 0, { 0, 0 }, { } },
1476 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1481 sizeof(struct ipt_entry),
1482 sizeof(struct ipt_standard),
1483 - 0, { 0, 0 }, { } },
1484 + 0, NULL, 0, { 0, 0 }, { } },
1485 { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1490 sizeof(struct ipt_entry),
1491 sizeof(struct ipt_error),
1492 - 0, { 0, 0 }, { } },
1493 + 0, NULL, 0, { 0, 0 }, { } },
1494 { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1497 diff -Nur linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_raw.c linux-2.6.0-test7/net/ipv4/netfilter/iptable_raw.c
1498 --- linux-2.6.0-test7.org/net/ipv4/netfilter/iptable_raw.c 1970-01-01 01:00:00.000000000 +0100
1499 +++ linux-2.6.0-test7/net/ipv4/netfilter/iptable_raw.c 2003-10-10 11:53:17.000000000 +0200
1502 + * 'raw' table, which is the very first hooked in at PRE_ROUTING and LOCAL_OUT .
1504 + * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
1506 +#include <linux/module.h>
1507 +#include <linux/netfilter_ipv4/ip_tables.h>
1509 +#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
1511 +/* Standard entry. */
1512 +struct ipt_standard
1514 + struct ipt_entry entry;
1515 + struct ipt_standard_target target;
1518 +struct ipt_error_target
1520 + struct ipt_entry_target target;
1521 + char errorname[IPT_FUNCTION_MAXNAMELEN];
1526 + struct ipt_entry entry;
1527 + struct ipt_error_target target;
1532 + struct ipt_replace repl;
1533 + struct ipt_standard entries[2];
1534 + struct ipt_error term;
1535 +} initial_table __initdata
1536 += { { "raw", RAW_VALID_HOOKS, 3,
1537 + sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
1538 + { [NF_IP_PRE_ROUTING] 0,
1539 + [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
1540 + { [NF_IP_PRE_ROUTING] 0,
1541 + [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
1545 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1547 + sizeof(struct ipt_entry),
1548 + sizeof(struct ipt_standard),
1549 + 0, NULL, 0, { 0, 0 }, { } },
1550 + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1551 + -NF_ACCEPT - 1 } },
1553 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1555 + sizeof(struct ipt_entry),
1556 + sizeof(struct ipt_standard),
1557 + 0, NULL, 0, { 0, 0 }, { } },
1558 + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
1559 + -NF_ACCEPT - 1 } }
1562 + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
1564 + sizeof(struct ipt_entry),
1565 + sizeof(struct ipt_error),
1566 + 0, NULL, 0, { 0, 0 }, { } },
1567 + { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
1574 +static struct ipt_table packet_raw = {
1576 + .table = &initial_table.repl,
1577 + .valid_hooks = RAW_VALID_HOOKS,
1578 + .lock = RW_LOCK_UNLOCKED,
1579 + .me = THIS_MODULE,
1582 +/* The work comes in here from netfilter.c. */
1583 +static unsigned int
1584 +ipt_hook(unsigned int hook,
1585 + struct sk_buff **pskb,
1586 + const struct net_device *in,
1587 + const struct net_device *out,
1588 + int (*okfn)(struct sk_buff *))
1590 + return ipt_do_table(pskb, hook, in, out, &packet_raw, NULL);
1593 +/* 'raw' is the very first table. */
1594 +static struct nf_hook_ops ipt_ops[] = {
1595 + { /* PRE_ROUTING hook */
1597 + .owner = THIS_MODULE,
1599 + .hooknum = NF_IP_PRE_ROUTING,
1600 + .priority = NF_IP_PRI_RAW,
1602 + { /* LOCAL_OUT hook */
1604 + .owner = THIS_MODULE,
1606 + .hooknum = NF_IP_LOCAL_OUT,
1607 + .priority = NF_IP_PRI_RAW,
1611 +static int __init init(void)
1615 + /* Register table */
1616 + ret = ipt_register_table(&packet_raw);
1620 + /* Register hooks */
1621 + ret = nf_register_hook(&ipt_ops[0]);
1623 + goto cleanup_table;
1625 + ret = nf_register_hook(&ipt_ops[1]);
1627 + goto cleanup_hook0;
1632 + nf_unregister_hook(&ipt_ops[0]);
1634 + ipt_unregister_table(&packet_raw);
1639 +static void __exit fini(void)
1643 + for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
1644 + nf_unregister_hook(&ipt_ops[i]);
1646 + ipt_unregister_table(&packet_raw);
1651 +MODULE_LICENSE("GPL");
1652 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1653 +MODULE_DESCRIPTION("IPv4 raw table");
1654 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/Kconfig linux-2.6.0-test7/net/ipv6/netfilter/Kconfig
1655 --- linux-2.6.0-test7.org/net/ipv6/netfilter/Kconfig 2003-10-08 21:24:43.000000000 +0200
1656 +++ linux-2.6.0-test7/net/ipv6/netfilter/Kconfig 2003-10-10 11:53:17.000000000 +0200
1657 @@ -217,6 +217,31 @@
1659 To compile it as a module, choose M here. If unsure, say N.
1662 + tristate "Raw table"
1663 + depends on IP6_NF_IPTABLES
1665 + This option adds a `raw' table to iptables: see the man page for
1666 + iptables(8). This table is the very first in the netfilter
1667 + framework and hooks in at the PREROUTING and OUTPUT chains.
1668 + The TRACE target can be used in this table only.
1670 + To compile it as a module, choose M here. If unsure, say N.
1672 +config IP6_NF_TARGET_TRACE
1673 + tristate "TRACE target support"
1674 + depends on IP6_NF_RAW
1676 + The TRACE target allows packets to be traced as those matches
1677 + any subsequent rule in any IPv6 netfilter table/rule. The matched
1678 + rule and the packet is logged with the prefix
1680 + TRACE: tablename/chainname/rulenum
1682 + if the ip6t_LOG target is loaded in.
1684 + To compile it as a module, choose M here. If unsure, say N.
1686 #dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES
1689 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/Makefile linux-2.6.0-test7/net/ipv6/netfilter/Makefile
1690 --- linux-2.6.0-test7.org/net/ipv6/netfilter/Makefile 2003-10-08 21:24:15.000000000 +0200
1691 +++ linux-2.6.0-test7/net/ipv6/netfilter/Makefile 2003-10-10 11:53:17.000000000 +0200
1693 obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
1694 obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
1695 obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
1696 +obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
1697 obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t_MARK.o
1698 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
1699 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
1700 +obj-$(CONFIG_IP6_NF_TARGET_TRACE) += ip6t_TRACE.o
1701 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
1702 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6_tables.c linux-2.6.0-test7/net/ipv6/netfilter/ip6_tables.c
1703 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6_tables.c 2003-10-08 21:24:43.000000000 +0200
1704 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6_tables.c 2003-10-10 11:53:18.000000000 +0200
1707 #include <linux/config.h>
1708 #include <linux/skbuff.h>
1709 +#include <linux/socket.h>
1710 #include <linux/kmod.h>
1711 #include <linux/vmalloc.h>
1712 #include <linux/netdevice.h>
1714 #include <asm/semaphore.h>
1715 #include <linux/proc_fs.h>
1717 +#include <linux/netfilter.h>
1718 #include <linux/netfilter_ipv6/ip6_tables.h>
1720 +static const char *hook6names[] = {
1721 + [NF_IP6_PRE_ROUTING] "PREROUTING",
1722 + [NF_IP6_LOCAL_IN] "INPUT",
1723 + [NF_IP6_FORWARD] "FORWARD",
1724 + [NF_IP6_LOCAL_OUT] "OUTPUT",
1725 + [NF_IP6_POST_ROUTING] "POSTROUTING",
1728 MODULE_LICENSE("GPL");
1729 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
1730 MODULE_DESCRIPTION("IPv6 packet filter");
1731 @@ -403,6 +413,12 @@
1733 t = ip6t_get_target(e);
1734 IP_NF_ASSERT(t->u.kernel.target);
1736 + /* The packet traced and the rule isn't an unconditional return/END. */
1737 + if (((*pskb)->nfcache & NFC_TRACE) && e->rulenum) {
1738 + nf_log_packet(AF_INET6, hook, *pskb, in, out, "TRACE: %s/%s/%u ",
1739 + table->name, e->chainname, e->rulenum);
1741 /* Standard target? */
1742 if (!t->u.kernel.target->target) {
1744 @@ -556,6 +572,29 @@
1745 return find_inlist_lock(&ip6t_target, name, "ip6t_", error, mutex);
1749 +find_error_target(struct ip6t_entry *s,
1750 + struct ip6t_entry *e,
1753 + struct ip6t_entry_target *t;
1754 + static struct ip6t_entry *found = NULL;
1759 + t = ip6t_get_target(found);
1760 + if (strcmp(t->u.user.name,
1761 + IP6T_ERROR_TARGET) == 0) {
1762 + *chainname = t->data;
1771 /* All zeroes == unconditional rule. */
1773 unconditional(const struct ip6t_ip6 *ipv6)
1775 mark_source_chains(struct ip6t_table_info *newinfo, unsigned int valid_hooks)
1778 + char *chainname = NULL;
1779 + u_int32_t rulenum;
1781 /* No recursion; use packet counter to save back ptrs (reset
1782 to 0 as we leave), and comefrom to save source hook bitmask */
1785 /* Set initial back pointer. */
1786 e->counters.pcnt = pos;
1788 + chainname = (char *) hook6names[hook];
1791 struct ip6t_standard_target *t
1795 |= ((1 << hook) | (1 << NF_IP6_NUMHOOKS));
1796 + e->rulenum = rulenum++;
1797 + e->chainname = chainname;
1799 /* Unconditional return/END. */
1800 if (e->target_offset == sizeof(struct ip6t_entry)
1801 @@ -609,6 +654,10 @@
1802 && unconditional(&e->ipv6)) {
1803 unsigned int oldpos, size;
1805 + /* Set unconditional rulenum to zero. */
1807 + e->counters.bcnt = 0;
1809 /* Return: backtrack through the last
1812 @@ -634,6 +683,11 @@
1813 (newinfo->entries + pos);
1814 } while (oldpos == pos + e->next_offset);
1816 + /* Restore chainname, rulenum. */
1817 + chainname = e->chainname;
1818 + rulenum = e->counters.bcnt;
1819 + e->counters.bcnt = 0;
1821 /* Move along one */
1822 size = e->next_offset;
1823 e = (struct ip6t_entry *)
1824 @@ -649,6 +703,17 @@
1825 /* This a jump; chase it. */
1826 duprintf("Jump rule %u -> %u\n",
1828 + e->counters.bcnt = rulenum++;
1830 + e = (struct ip6t_entry *)
1831 + (newinfo->entries + newpos);
1832 + if (IP6T_ENTRY_ITERATE(newinfo->entries,
1834 + find_error_target,
1835 + e, &chainname) == 0) {
1836 + printk("ip6_tables: table screwed up!\n");
1840 /* ... this is a fallthru */
1841 newpos = pos + e->next_offset;
1842 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6t_LOG.c linux-2.6.0-test7/net/ipv6/netfilter/ip6t_LOG.c
1843 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6t_LOG.c 2003-10-08 21:24:03.000000000 +0200
1844 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6t_LOG.c 2003-10-10 11:52:57.000000000 +0200
1847 #include <linux/module.h>
1848 #include <linux/skbuff.h>
1849 +#include <linux/socket.h>
1850 #include <linux/ip.h>
1851 #include <linux/spinlock.h>
1852 #include <linux/icmpv6.h>
1853 #include <net/udp.h>
1854 #include <net/tcp.h>
1855 #include <net/ipv6.h>
1856 +#include <linux/netfilter.h>
1857 #include <linux/netfilter_ipv6/ip6_tables.h>
1859 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
1860 MODULE_DESCRIPTION("IP6 tables LOG target module");
1861 MODULE_LICENSE("GPL");
1863 +static unsigned int nflog = 1;
1864 +MODULE_PARM(nflog, "i");
1865 +MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
1868 #include <net/route.h>
1869 #include <linux/netfilter_ipv6/ip6t_LOG.h>
1870 @@ -256,40 +262,38 @@
1874 -static unsigned int
1875 -ip6t_log_target(struct sk_buff **pskb,
1876 - unsigned int hooknum,
1877 - const struct net_device *in,
1878 - const struct net_device *out,
1879 - const void *targinfo,
1882 +ip6t_log_packet(unsigned int hooknum,
1883 + const struct sk_buff *skb,
1884 + const struct net_device *in,
1885 + const struct net_device *out,
1886 + const struct ip6t_log_info *loginfo,
1887 + const char *level_string,
1888 + const char *prefix)
1890 - struct ipv6hdr *ipv6h = (*pskb)->nh.ipv6h;
1891 - const struct ip6t_log_info *loginfo = targinfo;
1892 - char level_string[4] = "< >";
1893 + struct ipv6hdr *ipv6h = skb->nh.ipv6h;
1895 - level_string[1] = '0' + (loginfo->level % 8);
1896 spin_lock_bh(&log_lock);
1897 printk(level_string);
1898 printk("%sIN=%s OUT=%s ",
1900 + prefix == NULL ? loginfo->prefix : prefix,
1902 out ? out->name : "");
1904 /* MAC logging for input chain only. */
1906 - if ((*pskb)->dev && (*pskb)->dev->hard_header_len && (*pskb)->mac.raw != (void*)ipv6h) {
1907 - if ((*pskb)->dev->type != ARPHRD_SIT){
1908 + if (skb->dev && skb->dev->hard_header_len && skb->mac.raw != (void*)ipv6h) {
1909 + if (skb->dev->type != ARPHRD_SIT){
1911 - unsigned char *p = (*pskb)->mac.raw;
1912 - for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
1913 + unsigned char *p = skb->mac.raw;
1914 + for (i = 0; i < skb->dev->hard_header_len; i++,p++)
1915 printk("%02x%c", *p,
1916 - i==(*pskb)->dev->hard_header_len - 1
1917 + i==skb->dev->hard_header_len - 1
1921 - unsigned char *p = (*pskb)->mac.raw;
1922 - if ( p - (ETH_ALEN*2+2) > (*pskb)->head ){
1923 + unsigned char *p = skb->mac.raw;
1924 + if ( p - (ETH_ALEN*2+2) > skb->head ){
1926 for (i = 0; i < (ETH_ALEN); i++,p++)
1927 printk("%02x%s", *p,
1928 @@ -300,10 +304,10 @@
1929 i == ETH_ALEN-1 ? ' ' : ':');
1932 - if (((*pskb)->dev->addr_len == 4) &&
1933 - (*pskb)->dev->hard_header_len > 20){
1934 + if ((skb->dev->addr_len == 4) &&
1935 + skb->dev->hard_header_len > 20){
1937 - p = (*pskb)->mac.raw + 12;
1938 + p = skb->mac.raw + 12;
1939 for (i = 0; i < 4; i++,p++)
1941 i == 3 ? "->" : ".");
1942 @@ -319,10 +323,41 @@
1943 dump_packet(loginfo, ipv6h, 1);
1945 spin_unlock_bh(&log_lock);
1948 +static unsigned int
1949 +ip6t_log_target(struct sk_buff **pskb,
1950 + unsigned int hooknum,
1951 + const struct net_device *in,
1952 + const struct net_device *out,
1953 + const void *targinfo,
1956 + const struct ip6t_log_info *loginfo = targinfo;
1957 + char level_string[4] = "< >";
1959 + level_string[1] = '0' + (loginfo->level % 8);
1960 + ip6t_log_packet(hooknum, *pskb, in, out, loginfo, level_string, NULL);
1962 return IP6T_CONTINUE;
1966 +ip6t_logfn(unsigned int hooknum,
1967 + const struct sk_buff *skb,
1968 + const struct net_device *in,
1969 + const struct net_device *out,
1970 + const char *prefix)
1972 + struct ip6t_log_info loginfo = {
1974 + .logflags = IP6T_LOG_MASK,
1978 + ip6t_log_packet(hooknum, skb, in, out, &loginfo, KERN_WARNING, prefix);
1981 static int ip6t_log_checkentry(const char *tablename,
1982 const struct ip6t_entry *e,
1984 @@ -359,12 +394,17 @@
1986 if (ip6t_register_target(&ip6t_log_reg))
1989 + nf_log_register(PF_INET6, &ip6t_logfn);
1994 static void __exit fini(void)
1997 + nf_log_register(PF_INET6, &ip6t_logfn);
1999 ip6t_unregister_target(&ip6t_log_reg);
2002 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6t_TRACE.c linux-2.6.0-test7/net/ipv6/netfilter/ip6t_TRACE.c
2003 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6t_TRACE.c 1970-01-01 01:00:00.000000000 +0100
2004 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6t_TRACE.c 2003-10-10 11:53:18.000000000 +0200
2006 +/* This is a module which is used for setting
2007 + * the NFC_TRACE flag in the nfcache field of an skb.
2009 +#include <linux/module.h>
2010 +#include <linux/skbuff.h>
2012 +#include <linux/netfilter_ipv6/ip6_tables.h>
2014 +static unsigned int
2015 +target(struct sk_buff **pskb,
2016 + unsigned int hooknum,
2017 + const struct net_device *in,
2018 + const struct net_device *out,
2019 + const void *targinfo,
2022 + (*pskb)->nfcache |= NFC_TRACE;
2023 + return IP6T_CONTINUE;
2027 +checkentry(const char *tablename,
2028 + const struct ip6t_entry *e,
2030 + unsigned int targinfosize,
2031 + unsigned int hook_mask)
2033 + if (targinfosize != 0) {
2034 + printk(KERN_WARNING "TRACE: targinfosize %u != 0\n",
2039 + if (strcmp(tablename, "raw") != 0) {
2040 + printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename);
2047 +static struct ip6t_target ip6t_trace_reg = {
2050 + .checkentry = checkentry,
2052 + .me = THIS_MODULE,
2055 +static int __init init(void)
2057 + if (ip6t_register_target(&ip6t_trace_reg))
2063 +static void __exit fini(void)
2065 + ip6t_unregister_target(&ip6t_trace_reg);
2071 +MODULE_LICENSE("GPL");
2072 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
2073 +MODULE_DESCRIPTION("IPv6 TRACE target");
2075 \ No newline at end of file
2076 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_filter.c linux-2.6.0-test7/net/ipv6/netfilter/ip6table_filter.c
2077 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_filter.c 2003-10-08 21:24:01.000000000 +0200
2078 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6table_filter.c 2003-10-10 11:53:18.000000000 +0200
2081 sizeof(struct ip6t_entry),
2082 sizeof(struct ip6t_standard),
2083 - 0, { 0, 0 }, { } },
2084 + 0, NULL, 0, { 0, 0 }, { } },
2085 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2090 sizeof(struct ip6t_entry),
2091 sizeof(struct ip6t_standard),
2092 - 0, { 0, 0 }, { } },
2093 + 0, NULL, 0, { 0, 0 }, { } },
2094 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2099 sizeof(struct ip6t_entry),
2100 sizeof(struct ip6t_standard),
2101 - 0, { 0, 0 }, { } },
2102 + 0, NULL, 0, { 0, 0 }, { } },
2103 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2108 sizeof(struct ip6t_entry),
2109 sizeof(struct ip6t_error),
2110 - 0, { 0, 0 }, { } },
2111 + 0, NULL, 0, { 0, 0 }, { } },
2112 { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2115 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_mangle.c linux-2.6.0-test7/net/ipv6/netfilter/ip6table_mangle.c
2116 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_mangle.c 2003-10-08 21:24:04.000000000 +0200
2117 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6table_mangle.c 2003-10-10 11:53:18.000000000 +0200
2120 sizeof(struct ip6t_entry),
2121 sizeof(struct ip6t_standard),
2122 - 0, { 0, 0 }, { } },
2123 + 0, NULL, 0, { 0, 0 }, { } },
2124 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2129 sizeof(struct ip6t_entry),
2130 sizeof(struct ip6t_standard),
2131 - 0, { 0, 0 }, { } },
2132 + 0, NULL, 0, { 0, 0 }, { } },
2133 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2138 sizeof(struct ip6t_entry),
2139 sizeof(struct ip6t_standard),
2140 - 0, { 0, 0 }, { } },
2141 + 0, NULL, 0, { 0, 0 }, { } },
2142 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2147 sizeof(struct ip6t_entry),
2148 sizeof(struct ip6t_standard),
2149 - 0, { 0, 0 }, { } },
2150 + 0, NULL, 0, { 0, 0 }, { } },
2151 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2156 sizeof(struct ip6t_entry),
2157 sizeof(struct ip6t_standard),
2158 - 0, { 0, 0 }, { } },
2159 + 0, NULL, 0, { 0, 0 }, { } },
2160 { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2165 sizeof(struct ip6t_entry),
2166 sizeof(struct ip6t_error),
2167 - 0, { 0, 0 }, { } },
2168 + 0, NULL, 0, { 0, 0 }, { } },
2169 { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2172 diff -Nur linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_raw.c linux-2.6.0-test7/net/ipv6/netfilter/ip6table_raw.c
2173 --- linux-2.6.0-test7.org/net/ipv6/netfilter/ip6table_raw.c 1970-01-01 01:00:00.000000000 +0100
2174 +++ linux-2.6.0-test7/net/ipv6/netfilter/ip6table_raw.c 2003-10-10 11:53:18.000000000 +0200
2177 + * IPv6 raw table, a port of the IPv4 raw table to IPv6
2179 + * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2181 +#include <linux/module.h>
2182 +#include <linux/netfilter_ipv6/ip6_tables.h>
2184 +#define RAW_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_OUT))
2187 +#define DEBUGP(x, args...) printk(KERN_DEBUG x, ## args)
2189 +#define DEBUGP(x, args...)
2192 +/* Standard entry. */
2193 +struct ip6t_standard
2195 + struct ip6t_entry entry;
2196 + struct ip6t_standard_target target;
2199 +struct ip6t_error_target
2201 + struct ip6t_entry_target target;
2202 + char errorname[IP6T_FUNCTION_MAXNAMELEN];
2207 + struct ip6t_entry entry;
2208 + struct ip6t_error_target target;
2213 + struct ip6t_replace repl;
2214 + struct ip6t_standard entries[2];
2215 + struct ip6t_error term;
2216 +} initial_table __initdata
2217 += { { "raw", RAW_VALID_HOOKS, 3,
2218 + sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
2219 + { [NF_IP6_PRE_ROUTING] 0,
2220 + [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) },
2221 + { [NF_IP6_PRE_ROUTING] 0,
2222 + [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) },
2226 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2228 + sizeof(struct ip6t_entry),
2229 + sizeof(struct ip6t_standard),
2230 + 0, NULL, 0, { 0, 0 }, { } },
2231 + { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2232 + -NF_ACCEPT - 1 } },
2234 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2236 + sizeof(struct ip6t_entry),
2237 + sizeof(struct ip6t_standard),
2238 + 0, NULL, 0, { 0, 0 }, { } },
2239 + { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
2240 + -NF_ACCEPT - 1 } },
2243 + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
2245 + sizeof(struct ip6t_entry),
2246 + sizeof(struct ip6t_error),
2247 + 0, NULL, 0, { 0, 0 }, { } },
2248 + { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
2255 +static struct ip6t_table packet_raw = {
2257 + .table = &initial_table.repl,
2258 + .valid_hooks = RAW_VALID_HOOKS,
2259 + .lock = RW_LOCK_UNLOCKED,
2263 +/* The work comes in here from netfilter.c. */
2264 +static unsigned int
2265 +ip6t_hook(unsigned int hook,
2266 + struct sk_buff **pskb,
2267 + const struct net_device *in,
2268 + const struct net_device *out,
2269 + int (*okfn)(struct sk_buff *))
2271 + return ip6t_do_table(pskb, hook, in, out, &packet_raw, NULL);
2274 +static struct nf_hook_ops ip6t_ops[] = {
2275 + { /* PRE_ROUTING */
2276 + .hook = ip6t_hook,
2277 + .owner = THIS_MODULE,
2279 + .hooknum = NF_IP6_PRE_ROUTING,
2280 + .priority = NF_IP6_PRI_FIRST,
2283 + .hook = ip6t_hook,
2284 + .owner = THIS_MODULE,
2286 + .hooknum = NF_IP6_LOCAL_OUT,
2287 + .priority = NF_IP6_PRI_FIRST,
2291 +static int __init init(void)
2295 + /* Register table */
2296 + ret = ip6t_register_table(&packet_raw);
2300 + /* Register hooks */
2301 + ret = nf_register_hook(&ip6t_ops[0]);
2303 + goto cleanup_table;
2305 + ret = nf_register_hook(&ip6t_ops[1]);
2307 + goto cleanup_hook0;
2312 + nf_unregister_hook(&ip6t_ops[0]);
2314 + ip6t_unregister_table(&packet_raw);
2319 +static void __exit fini(void)
2323 + for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
2324 + nf_unregister_hook(&ip6t_ops[i]);
2326 + ip6t_unregister_table(&packet_raw);
2331 +MODULE_LICENSE("GPL");
2332 +MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
2333 +MODULE_DESCRIPTION("IPv6 raw table");
2334 diff -Nur linux-2.6.0-test7.org/netfilter-patch-o-matic/patches linux-2.6.0-test7/netfilter-patch-o-matic/patches
2335 --- linux-2.6.0-test7.org/netfilter-patch-o-matic/patches 1970-01-01 01:00:00.000000000 +0100
2336 +++ linux-2.6.0-test7/netfilter-patch-o-matic/patches 2003-10-10 11:54:22.000000000 +0200
2338 +./base/01_sctp_match.patch
2339 +./pending/23_REJECT-headroom-tcprst.patch
2340 +./pending/24_rcu.patch
2341 +./pending/25-err-ptr.patch
2342 +./pending/26-memsets.patch
2343 +./pending/40_nf-log.patch
2344 +./pending/70_expect-evict-order.patch
2345 +./pending/71_raw.patch
2346 +./submitted/02_REJECT-headroom-tcprst.patch
2347 +./submitted/03_260t4-mirror-remove.patch
2348 +./submitted/03_physdev_bridged.patch
2349 +./submitted/04_260t4-unclean-remove.patch
2350 +./submitted/04_config-fix.patch
2351 +./submitted/75_nathelper-udp-csum.patch
2352 +./submitted/76_mangle_udp-sizecheck.patch
2353 +./submitted/77_destroy-conntrack.patch
2354 +./submitted/78_reject-localout.patch
2355 +./submitted/80_ip_conntrack-proc.patch
2356 +./submitted/82_irc-conntrack-mirc-serverlookup.patch
2357 +./submitted/83_nolocalout.patch
2358 +./submitted/84_local-nullbinding.patch
2359 +./submitted/85_ipv6header.patch
2360 +./submitted/86_getorigdst-tuple-zero.patch