1 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.5-rc2/include/linux/netfilter_ipv4/ip_conntrack.h
2 --- linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ip_conntrack.h 2004-03-22 08:57:53.000000000 +0000
3 +++ linux-2.6.5-rc2/include/linux/netfilter_ipv4/ip_conntrack.h 2004-03-22 09:08:35.000000000 +0000
6 #endif /* CONFIG_IP_NF_NAT_NEEDED */
8 +#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
14 /* get master conntrack via master expectation */
15 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_CONNMARK.h
16 --- linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h 1970-01-01 00:00:00.000000000 +0000
17 +++ linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_CONNMARK.h 2004-03-22 09:08:35.000000000 +0000
19 +#ifndef _IPT_CONNMARK_H_target
20 +#define _IPT_CONNMARK_H_target
22 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
23 + * by Henrik Nordstrom <hno@marasystems.com>
25 + * This program is free software; you can redistribute it and/or modify
26 + * it under the terms of the GNU General Public License as published by
27 + * the Free Software Foundation; either version 2 of the License, or
28 + * (at your option) any later version.
32 + IPT_CONNMARK_SET = 0,
34 + IPT_CONNMARK_RESTORE
37 +struct ipt_connmark_target_info {
43 +#endif /*_IPT_CONNMARK_H_target*/
44 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_IPMARK.h linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_IPMARK.h
45 --- linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 00:00:00.000000000 +0000
46 +++ linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_IPMARK.h 2004-03-22 09:00:56.000000000 +0000
48 +#ifndef _IPT_IPMARK_H_target
49 +#define _IPT_IPMARK_H_target
51 +struct ipt_ipmark_target_info {
52 + unsigned long andmask;
53 + unsigned long ormask;
57 +#define IPT_IPMARK_SRC 0
58 +#define IPT_IPMARK_DST 1
60 +#endif /*_IPT_IPMARK_H_target*/
61 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_XOR.h linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_XOR.h
62 --- linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_XOR.h 1970-01-01 00:00:00.000000000 +0000
63 +++ linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_XOR.h 2004-03-22 09:01:18.000000000 +0000
68 +struct ipt_XOR_info {
70 + u_int8_t block_size;
73 +#endif /* _IPT_XOR_H */
74 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_addrtype.h linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_addrtype.h
75 --- linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_addrtype.h 1970-01-01 00:00:00.000000000 +0000
76 +++ linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_addrtype.h 2004-03-22 09:01:46.000000000 +0000
78 +#ifndef _IPT_ADDRTYPE_H
79 +#define _IPT_ADDRTYPE_H
81 +struct ipt_addrtype_info {
82 + u_int16_t source; /* source-type mask */
83 + u_int16_t dest; /* dest-type mask */
89 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_childlevel.h linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_childlevel.h
90 --- linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_childlevel.h 1970-01-01 00:00:00.000000000 +0000
91 +++ linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_childlevel.h 2004-03-22 09:01:53.000000000 +0000
94 + By Matthew Strait <quadong@users.sf.net>, Dec 2003.
95 + http://l7-filter.sf.net
97 + This program is free software; you can redistribute it and/or
98 + modify it under the terms of the GNU General Public License
99 + as published by the Free Software Foundation; either version
100 + 2 of the License, or (at your option) any later version.
101 + http://www.gnu.org/licenses/gpl.txt
104 +#ifndef _IPT_CHILDLEVEL_H
105 +#define _IPT_CHILDLEVEL_H
107 +typedef char *(*proc_ipt_search) (u_int32_t, u_int8_t);
109 +struct ipt_childlevel_info {
110 + u_int32_t childlevel;
114 +#endif /* _IPT_CHILDLEVEL_H */
115 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_connmark.h linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_connmark.h
116 --- linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_connmark.h 1970-01-01 00:00:00.000000000 +0000
117 +++ linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_connmark.h 2004-03-22 09:08:35.000000000 +0000
119 +#ifndef _IPT_CONNMARK_H
120 +#define _IPT_CONNMARK_H
122 +/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
123 + * by Henrik Nordstrom <hno@marasystems.com>
125 + * This program is free software; you can redistribute it and/or modify
126 + * it under the terms of the GNU General Public License as published by
127 + * the Free Software Foundation; either version 2 of the License, or
128 + * (at your option) any later version.
131 +struct ipt_connmark_info {
132 + unsigned long mark, mask;
136 +#endif /*_IPT_CONNMARK_H*/
137 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_policy.h linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_policy.h
138 --- linux-2.6.5-rc2.org/include/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 00:00:00.000000000 +0000
139 +++ linux-2.6.5-rc2/include/linux/netfilter_ipv4/ipt_policy.h 2004-03-22 09:02:50.000000000 +0000
141 +#ifndef _IPT_POLICY_H
142 +#define _IPT_POLICY_H
144 +#define POLICY_MAX_ELEM 4
146 +enum ipt_policy_flags
148 + POLICY_MATCH_IN = 0x1,
149 + POLICY_MATCH_OUT = 0x2,
150 + POLICY_MATCH_NONE = 0x4,
151 + POLICY_MATCH_STRICT = 0x8,
154 +enum ipt_policy_modes
156 + POLICY_MODE_TRANSPORT,
160 +struct ipt_policy_spec
170 +struct ipt_policy_elem
181 + struct ipt_policy_spec match;
182 + struct ipt_policy_spec invert;
185 +struct ipt_policy_info
187 + struct ipt_policy_elem pol[POLICY_MAX_ELEM];
192 +#endif /* _IPT_POLICY_H */
193 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/net/tcp.h linux-2.6.5-rc2/include/net/tcp.h
194 --- linux-2.6.5-rc2.org/include/net/tcp.h 2004-03-20 00:11:02.000000000 +0000
195 +++ linux-2.6.5-rc2/include/net/tcp.h 2004-03-22 09:02:35.000000000 +0000
197 extern void tcp_bucket_unlock(struct sock *sk);
198 extern int tcp_port_rover;
199 extern struct sock *tcp_v4_lookup_listener(u32 addr, unsigned short hnum, int dif);
200 +extern struct sock *tcp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 hnum, int dif);
202 /* These are AF independent. */
203 static __inline__ int tcp_bhashfn(__u16 lport)
204 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/include/net/udp.h linux-2.6.5-rc2/include/net/udp.h
205 --- linux-2.6.5-rc2.org/include/net/udp.h 2004-03-20 00:11:34.000000000 +0000
206 +++ linux-2.6.5-rc2/include/net/udp.h 2004-03-22 09:02:35.000000000 +0000
208 extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
209 extern int udp_disconnect(struct sock *sk, int flags);
211 +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
213 DECLARE_SNMP_STAT(struct udp_mib, udp_statistics);
214 #define UDP_INC_STATS(field) SNMP_INC_STATS(udp_statistics, field)
215 #define UDP_INC_STATS_BH(field) SNMP_INC_STATS_BH(udp_statistics, field)
216 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/core/netfilter.c linux-2.6.5-rc2/net/core/netfilter.c
217 --- linux-2.6.5-rc2.org/net/core/netfilter.c 2004-03-22 08:57:53.000000000 +0000
218 +++ linux-2.6.5-rc2/net/core/netfilter.c 2004-03-22 09:02:30.000000000 +0000
220 } queue_handler[NPROTO];
221 static rwlock_t queue_handler_lock = RW_LOCK_UNLOCKED;
224 + * nf_register_hook - Register with a netfilter hook
225 + * @reg: Hook operations to be registered
227 int nf_register_hook(struct nf_hook_ops *reg)
235 + * nf_unregister_hook - Unregister from a netfilter hook
236 + * @reg: hook operations to be unregistered
238 void nf_unregister_hook(struct nf_hook_ops *reg)
240 spin_lock_bh(&nf_hook_lock);
246 + * nf_register_queue_handler - Registere a queue handler with netfilter
247 + * @pf: protocol family
248 + * @outfn: function called by core to enqueue a packet
249 + * @data: opaque parameter, passed through
251 + * This function registers a queue handler with netfilter. There can only
252 + * be one queue handler for every protocol family.
254 + * A queue handler _must_ reinject every packet via nf_reinject, no
257 int nf_register_queue_handler(int pf, nf_queue_outfn_t outfn, void *data)
264 -/* The caller must flush their queue before this */
266 + * nf_unregister_queue_handler - Unregister queue handler from netfilter
267 + * @pf: protocol family
269 + * The caller must flush their queue before unregistering
271 int nf_unregister_queue_handler(int pf)
273 write_lock_bh(&queue_handler_lock);
279 + * nf_reinject - Reinject a packet from a queue handler
280 + * @skb: the packet to be reinjected
281 + * @info: info which was passed to the outfn() of the queue handler
282 + * @verdict: verdict (NF_ACCEPT, ...) for this packet
284 + * This is the function called by a queue handler to reinject a
287 void nf_reinject(struct sk_buff *skb, struct nf_info *info,
288 unsigned int verdict)
290 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/Kconfig linux-2.6.5-rc2/net/ipv4/netfilter/Kconfig
291 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/Kconfig 2004-03-22 08:57:53.000000000 +0000
292 +++ linux-2.6.5-rc2/net/ipv4/netfilter/Kconfig 2004-03-22 09:08:35.000000000 +0000
294 depends on IP_NF_IPTABLES
297 +config IP_NF_TARGET_IPMARK
298 + tristate 'IPMARK target support'
299 + depends on IP_NF_MANGLE
302 +config IP_NF_TARGET_XOR
303 + tristate 'XOR target support'
304 + depends on IP_NF_MANGLE
307 +config IP_NF_MATCH_ADDRTYPE
308 + tristate 'address type match support'
309 + depends on IP_NF_IPTABLES
312 +config IP_NF_MATCH_POLICY
313 + tristate "IPsec policy match support"
314 + depends on IP_NF_IPTABLES && XFRM
316 + Policy matching allows you to match packets based on the
317 + IPsec policy that was used during decapsulation/will
318 + be used during encapsulation.
320 + To compile it as a module, choose M here. If unsure, say N.
323 +config IP_NF_CONNTRACK_MARK
324 + bool 'Connection mark tracking support'
325 +config IP_NF_TARGET_CONNMARK
326 + tristate 'CONNMARK target support'
327 + depends on IP_NF_MANGLE
328 +config IP_NF_MATCH_CONNMARK
329 + tristate ' Connection mark match support'
330 + depends on IP_NF_IPTABLES
335 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/Makefile linux-2.6.5-rc2/net/ipv4/netfilter/Makefile
336 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/Makefile 2004-03-22 08:57:53.000000000 +0000
337 +++ linux-2.6.5-rc2/net/ipv4/netfilter/Makefile 2004-03-22 09:08:35.000000000 +0000
340 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
341 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
342 +obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
343 obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
344 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
345 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
346 +obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
347 obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
349 obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
350 +obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o
353 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
355 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
356 obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o
357 obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
358 +obj-$(CONFIG_IP_NF_TARGET_IPMARK) += ipt_IPMARK.o
359 obj-$(CONFIG_IP_NF_TARGET_IMQ) += ipt_IMQ.o
360 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
361 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
363 obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
364 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
365 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
366 +obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
367 +obj-$(CONFIG_IP_NF_TARGET_XOR) += ipt_XOR.o
368 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
369 obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
370 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
371 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.5-rc2/net/ipv4/netfilter/ip_conntrack_core.c
372 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_conntrack_core.c 2004-03-22 08:57:53.000000000 +0000
373 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ip_conntrack_core.c 2004-03-22 09:08:35.000000000 +0000
375 * 16 Jul 2002: Harald Welte <laforge@gnumonks.org>
376 * - add usage/reference counts to ip_conntrack_expect
377 * - export ip_conntrack[_expect]_{find_get,put} functions
378 + * 05 Aug 2002: Harald Welte <laforge@gnumonks.org>
379 + * - added DocBook-style comments for public API
382 #include <linux/config.h>
388 + * ip_ct_find_proto - Find layer 4 protocol helper for given protocol number
389 + * @protocol: protocol number
391 struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol)
393 struct ip_conntrack_protocol *p;
395 static int ip_conntrack_hash_rnd_initted;
396 static unsigned int ip_conntrack_hash_rnd;
399 + * hash_conntrack - Calculate the position of an entry in the connection
401 + * @tuple: conntrack tuple which we want to calculate the hash position
404 hash_conntrack(const struct ip_conntrack_tuple *tuple)
407 ip_conntrack_hash_rnd) % ip_conntrack_htable_size);
411 + * get_tuple - set all the fields of a tuple which is passed as parameter
412 + * given a network buffer.
413 + * @iph:pointer an IP header.
414 + * @skb:network buffer for which we want to generate the tuple
415 + * @dataoff: FIXME: Deprecated?
416 + * @tuple: tuple which will be generate. Used as return parameter.
417 + * @protocol: structure which contains pointer to protocol specific functions.
419 + * Note: This function doesn't allocate space for the tuple passed as
420 + * parameter. The function pkt_to_packet which set all the protocol specific
421 + * fields of a given tuple.
424 get_tuple(const struct iphdr *iph,
425 const struct sk_buff *skb,
427 return protocol->pkt_to_tuple(skb, dataoff, tuple);
431 + * invert_tuple - Returns the inverse of a given tuple. It is used to
432 + * calculate the tuple which represents the other sense of the flow
434 + * @inverse: the inverted tuple. Use as return value.
435 + * @orig: the original tuple which will be inverted.
436 + * @protocol: a pointer to the protocol structure which contains all the
437 + * specifical functions available for this tuple.
440 invert_tuple(struct ip_conntrack_tuple *inverse,
441 const struct ip_conntrack_tuple *orig,
444 /* ip_conntrack_expect helper functions */
446 -/* Compare tuple parts depending on mask. */
448 + * expect_cmp - compare a tuple with a expectation depending on a mask
449 + * @i: pointer to an expectation.
450 + * @tuple: tuple which will be compared with the expectation tuple.
452 + * Actually the tuple field of an expectation is compared with a tuple
453 + * This function is used by LIST_FIND to find a expectation which match a te
456 static inline int expect_cmp(const struct ip_conntrack_expect *i,
457 const struct ip_conntrack_tuple *tuple)
460 return ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask);
464 + * destroy_expect - Release all the resources allocated by an expectation.
465 + * @exp: pointer to the expectation which we want to release.
468 destroy_expect(struct ip_conntrack_expect *exp)
476 + * ip_conntrack_expect_put - it decrements the counter of use related
477 + * associated to an expectation and it calls destroy_expect.
478 + * @exp: pointer to the expectation which we want to release.
480 inline void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
484 struct ip_conntrack_expect *, tuple);
487 -/* Find a expectation corresponding to a tuple. */
489 + * ip_conntrack_find_get - find conntrack according to tuple
490 + * @tuple: conntrack tuple for which we search conntrack
491 + * @ignored_conntrack: ignore this conntrack during search
493 + * This function increments the reference count of the found
494 + * conntrack (if any).
496 struct ip_conntrack_expect *
497 ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple)
503 -/* Find a connection corresponding to a tuple. */
505 + * ip_conntrack_find_get - find conntrack according to tuple
506 + * @tuple: conntrack tuple for which we search conntrack
507 + * @ignored_conntrack: ignore this conntrack during search
509 + * This function increments the reference count of the found
510 + * conntrack (if any).
512 struct ip_conntrack_tuple_hash *
513 ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
514 const struct ip_conntrack *ignored_conntrack)
519 -/* Return conntrack and conntrack_info given skb->nfct->master */
521 + * ip_conntrack_get - Return conntrack and conntrack_info for given skb
522 + * @skb: skb for which we want to find conntrack and conntrack_info
523 + * @ctinfo: pointer to ctinfo, used as return value
525 + * This function resolves the respective conntrack and conntrack_info
526 + * structures for the connection this packet (skb) is part of.
528 struct ip_conntrack *
529 ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
535 -/* Returns true if a connection correspondings to the tuple (required
538 + * ip_conntrack_tuple_taken - Find out if tuple is already in use
539 + * @tuple: tuple to be used for this test
540 + * @ignored_conntrack: conntrack which is excluded from result
542 + * This function is called by the NAT code in order to find out if
543 + * a particular tuple is already in use by some connection.
546 ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
547 const struct ip_conntrack *ignored_conntrack)
550 return ip_ct_tuple_mask_cmp(rtuple, &i->tuple, &i->mask);
554 + * ip_ct_find_helper - Find application helper according to tuple
555 + * @tuple: tuple for which helper needs to be found
557 + * This function is used to determine if any registered conntrack helper
558 + * is to be used for the given tuple.
560 struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple)
562 return LIST_FIND(&helpers, helper_cmp,
563 @@ -714,12 +796,15 @@
564 conntrack, expected);
565 /* Welcome, Mr. Bond. We've been expecting you... */
566 IP_NF_ASSERT(master_ct(conntrack));
567 - __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
568 - conntrack->master = expected;
569 - expected->sibling = conntrack;
570 - LIST_DELETE(&ip_conntrack_expect_list, expected);
571 - expected->expectant->expecting--;
572 - nf_conntrack_get(&master_ct(conntrack)->infos[0]);
573 + __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
574 + conntrack->master = expected;
575 + expected->sibling = conntrack;
576 +#if CONFIG_IP_NF_CONNTRACK_MARK
577 + conntrack->mark = expected->expectant->mark;
579 + LIST_DELETE(&ip_conntrack_expect_list, expected);
580 + expected->expectant->expecting--;
581 + nf_conntrack_get(&master_ct(conntrack)->infos[0]);
583 /* this is a braindead... --pablo */
584 atomic_inc(&ip_conntrack_count);
586 return ip_ct_tuple_mask_cmp(&i->tuple, tuple, &intersect_mask);
590 + * ip_conntrack_unexpect_related - Unexpect a related connection
591 + * @expect: expecattin to be removed
593 + * This function removes an existing expectation, that has not yet been
594 + * confirmed (i.e. expectation was issued, but expected connection didn't
597 inline void ip_conntrack_unexpect_related(struct ip_conntrack_expect *expect)
599 WRITE_LOCK(&ip_conntrack_lock);
600 @@ -927,7 +1020,20 @@
601 WRITE_UNLOCK(&ip_conntrack_lock);
604 -/* Add a related connection. */
606 + * ip_conntrack_expect_related - Expect a related connection
607 + * @related_to: master conntrack
608 + * @expect: expectation with all values filled in
610 + * This function is called by conntrack application helpers who
611 + * have detected that the control (master) connection is just about
612 + * to negotiate a related slave connection.
614 + * Note: This function allocates it's own struct ip_conntrack_expect,
615 + * copying the values from the 'expect' parameter. Thus, 'expect' can
616 + * be allocated on the stack and does not need to be valid after this
617 + * function returns.
619 int ip_conntrack_expect_related(struct ip_conntrack *related_to,
620 struct ip_conntrack_expect *expect)
622 @@ -1057,7 +1163,15 @@
626 -/* Change tuple in an existing expectation */
628 + * ip_conntrack_change_expect - Change tuple in existing expectation
629 + * @expect: expectation which is to be changed
630 + * @newtuple: new tuple for expect
632 + * This function is mostly called by NAT application helpers, who want to
633 + * change an expectation issued by their respective conntrack application
634 + * helper counterpart.
636 int ip_conntrack_change_expect(struct ip_conntrack_expect *expect,
637 struct ip_conntrack_tuple *newtuple)
639 @@ -1098,8 +1212,15 @@
643 -/* Alter reply tuple (maybe alter helper). If it's already taken,
644 - return 0 and don't do alteration. */
646 + * ip_conntrack_alter_reply - Alter reply tuple of conntrack
647 + * @conntrack: conntrack whose reply tuple we want to alter
648 + * @newreply: designated reply tuple for this conntrack
650 + * This function alters the reply tuple of a conntrack to the given
651 + * newreply tuple. If this newreply tuple is already taken, return 0
652 + * and don't do alteration
654 int ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
655 const struct ip_conntrack_tuple *newreply)
657 @@ -1124,6 +1245,13 @@
662 + * ip_conntrack_helper_register - Register a conntrack application helper
663 + * @me: structure describing the helper
665 + * This function is called by conntrack application helpers to register
666 + * themselves with the conntrack core.
668 int ip_conntrack_helper_register(struct ip_conntrack_helper *me)
670 WRITE_LOCK(&ip_conntrack_lock);
671 @@ -1145,6 +1273,13 @@
676 + * ip_conntrack_helper_unregister - Unregister a conntrack application helper
677 + * @me: structure describing the helper
679 + * This function is called by conntrack application helpers to unregister
680 + * themselvers from the conntrack core.
682 void ip_conntrack_helper_unregister(struct ip_conntrack_helper *me)
685 @@ -1163,7 +1298,14 @@
689 -/* Refresh conntrack for this many jiffies. */
691 + * ip_ct_refresh - Refresh conntrack timer for given conntrack
692 + * @ct: conntrack which we want to refresh
693 + * @extra_jiffies: number of jiffies to add
695 + * This function is called by protocol helpers and application helpers in
696 + * order to change the expiration timer of a conntrack entry.
698 void ip_ct_refresh(struct ip_conntrack *ct, unsigned long extra_jiffies)
700 IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
701 @@ -1182,7 +1324,16 @@
702 WRITE_UNLOCK(&ip_conntrack_lock);
705 -/* Returns new sk_buff, or NULL */
708 + * ip_ct_gather_frags - Gather fragments of a particular skb
709 + * @skb: pointer to sk_buff of fragmented IP packet
711 + * This code is just a wrapper around the defragmentation code in the core IPv4
712 + * stack. It also takes care of nonlinear skb's.
714 + * Returns new sk_buff, or NULL
717 ip_ct_gather_frags(struct sk_buff *skb)
719 @@ -1266,6 +1417,16 @@
724 + * ip_ct_selective_cleanup - Selectively delete a set of conntrack entries
725 + * @kill: callback function selecting which entries to delete
726 + * @data: opaque data pointer, becomes 2nd argument for kill function
728 + * This function can be used to selectively delete elements of the conntrack
729 + * hashtable. The function iterates over the list of conntrack entries and
730 + * calls the 'kill' function for every entry. If the return value is true,
731 + * the connection is deleted (death_by_timeout).
734 ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data),
736 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.5-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c
737 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-03-22 08:57:53.000000000 +0000
738 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-03-22 09:08:35.000000000 +0000
740 len += sprintf(buffer + len, "[ASSURED] ");
741 len += sprintf(buffer + len, "use=%u ",
742 atomic_read(&conntrack->ct_general.use));
743 +#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
744 + len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
746 len += sprintf(buffer + len, "\n");
749 @@ -569,13 +572,20 @@
753 -/* FIXME: Allow NULL functions and sub in pointers to generic for
756 + * ip_conntrack_protocol_register - Register layer 4 protocol helper
757 + * @proto: structure describing this layer 4 protocol helper
759 + * This function is called by layer 4 protocol helpers to register
760 + * themselves with the conntrack core.
762 int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
767 + /* FIXME: Allow NULL functions and sub in pointers to generic for
769 WRITE_LOCK(&ip_conntrack_lock);
770 list_for_each(i, &protocol_list) {
771 if (((struct ip_conntrack_protocol *)i)->proto
772 @@ -592,12 +602,20 @@
777 + * ip_conntrack_protocol_unregister - Unregister layer 4 protocol helper
778 + * @proto: structure describing this layer 4 protocol helper
780 + * This function is called byh layer 4 protocol helpers to unregister
781 + * themselvers from the conntrack core. Please note that all conntrack
782 + * entries for this protocol are deleted from the conntrack hash table.
784 void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto)
786 WRITE_LOCK(&ip_conntrack_lock);
788 - /* ip_ct_find_proto() returns proto_generic in case there is no protocol
789 - * helper. So this should be enough - HW */
790 + /* ip_ct_find_proto() returns proto_generic in case there is no
791 + * protocol helper. So this should be enough - HW */
792 LIST_DELETE(&protocol_list, proto);
793 WRITE_UNLOCK(&ip_conntrack_lock);
795 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_nat_core.c linux-2.6.5-rc2/net/ipv4/netfilter/ip_nat_core.c
796 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_nat_core.c 2004-03-22 08:57:53.000000000 +0000
797 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ip_nat_core.c 2004-03-22 09:02:30.000000000 +0000
799 WRITE_UNLOCK(&ip_nat_lock);
802 -/* We do checksum mangling, so if they were wrong before they're still
803 - * wrong. Also works for incomplete packets (eg. ICMP dest
804 - * unreachables.) */
806 + * ip_nat_cheat_check - Incremental checksum change for IP/TCP checksum
807 + * @oldvalinv: bit-inverted old value of 32bit word
808 + * @newval: new value of 32bit word
809 + * @oldcheck: old checksum value
811 + * This function implements incremental checksum mangling, so if a checksum
812 + * was wrong it will still be wrong after mangling. Also works for incomplete
813 + * packets (eg. ICMP dest unreachables). Return value is the new checksum.
816 ip_nat_cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
822 -/* Is this tuple already taken? (not by us) */
824 + * ip_nat_used_tuple - Is this tuple already in use?
825 + * @tuple: tuple to be used for this check
826 + * @ignored_conntrack: conntrack excluded from this check
828 + * This function checks for the reply (inverted) tuple in the conntrack
829 + * hash. This is necessarry with NAT, since there is no fixed mapping.
832 ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple,
833 const struct ip_conntrack *ignored_conntrack)
839 + * ip_nat_setup_info - Set up NAT mappings for NEW packet
840 + * @conntrack: conntrack on which we operate
841 + * @mr: address/port range which is valid for this NAT mapping
842 + * @hooknum: hook at which this NAT mapping applies
844 + * This function is called by NAT targets (SNAT,DNAT,...) and by
845 + * the NAT application helper modules. It is called for the NEW packet
846 + * of a connection in order to specify which NAT mappings shall apply to
847 + * this connection at a given hook.
849 + * Note: The reply mappings are created automagically by this function.
852 ip_nat_setup_info(struct ip_conntrack *conntrack,
853 const struct ip_nat_multi_range *mr,
854 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_nat_helper.c linux-2.6.5-rc2/net/ipv4/netfilter/ip_nat_helper.c
855 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_nat_helper.c 2004-03-20 00:11:02.000000000 +0000
856 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ip_nat_helper.c 2004-03-22 09:02:30.000000000 +0000
861 -/* Generic function for mangling variable-length address changes inside
862 - * NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX
865 + * ip_nat_mangle_tcp_packet - Mangle and potentially resize payload packet
866 + * @skb: pointer to skb of packet on which we operate
867 + * @ct: conntrack of the connection to which this packet belongs
868 + * @ctinfo: conntrack_info of the connection to which this packet belongs
869 + * @match_offset: offset in bytes where to-be-manipulated part starts
870 + * @match_len: lenght of the to-be-manipulated part
871 + * @rep_buffer: pointer to buffer containing replacement
872 + * @rep_len: length of replacement
874 + * Generic function for mangling fixed and variable-length changes inside
875 + * NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX command
878 * Takes care about all the nasty sequence number changes, checksumming,
879 * skb enlargement, ...
880 @@ -198,16 +208,27 @@
884 -/* Generic function for mangling variable-length address changes inside
885 - * NATed UDP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX
886 - * command in the Amanda protocol)
888 + * ip_nat_mangle_udp_packet - Mangle and potentially resize payload packet
889 + * @skb: pointer to skb of packet on which we operate
890 + * @ct: conntrack of the connection to which this packet belongs
891 + * @ctinfo: conntrack_info of the connection to which this packet belongs
892 + * @match_offset: offset in bytes where to-be-manipulated part starts
893 + * @match_len: lenght of the to-be-manipulated part
894 + * @rep_buffer: pointer to buffer containing replacement
895 + * @rep_len: length of replacement
897 + * Generic function for mangling fixed and variable-length changes inside
898 + * NATed TCP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX
899 + * commad in the Amanda protocol)
901 * Takes care about all the nasty sequence number changes, checksumming,
902 * skb enlargement, ...
904 - * XXX - This function could be merged with ip_nat_mangle_tcp_packet which
905 - * should be fairly easy to do.
907 + * FIXME: should be unified with ip_nat_mangle_tcp_packet!!
912 ip_nat_mangle_udp_packet(struct sk_buff **pskb,
913 struct ip_conntrack *ct,
915 return ip_ct_tuple_mask_cmp(tuple, &helper->tuple, &helper->mask);
919 + * ip_nat_helper_register - Register NAT application helper
920 + * @me: structure describing the helper
922 + * This function is called by NAT application helpers to register
923 + * themselves with the NAT core.
925 int ip_nat_helper_register(struct ip_nat_helper *me)
933 + * ip_nat_helper_unregister - Unregister NAT application helper
934 + * @me: structure describing the helper
936 + * This function is called by NAT application helpers to unregister
937 + * themselves from the NAT core.
939 void ip_nat_helper_unregister(struct ip_nat_helper *me)
941 WRITE_LOCK(&ip_nat_lock);
942 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_nat_standalone.c linux-2.6.5-rc2/net/ipv4/netfilter/ip_nat_standalone.c
943 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_nat_standalone.c 2004-03-20 00:11:34.000000000 +0000
944 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ip_nat_standalone.c 2004-03-22 09:02:30.000000000 +0000
949 -/* Protocol registration. */
951 + * ip_nat_protocol_register - Register a layer 4 protocol helper
952 + * @proto: structure describing this helper
954 + * This function is called by NAT layer 4 protocol helpers to register
955 + * themselvers with the NAT core.
957 int ip_nat_protocol_register(struct ip_nat_protocol *proto)
964 -/* Noone stores the protocol anywhere; simply delete it. */
966 + * ip_nat_protocol_unregister - Unregister a layer 4 protocol helper
967 + * @proto: structure describing the helper
969 + * This function is called by NAT layer 4 protocol helpers to
970 + * unregister themselves from the NAT core.
972 void ip_nat_protocol_unregister(struct ip_nat_protocol *proto)
974 + /* Noone stores the protocol anywhere; simply delete it. */
975 WRITE_LOCK(&ip_nat_lock);
976 LIST_DELETE(&protos, proto);
977 WRITE_UNLOCK(&ip_nat_lock);
978 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_tables.c linux-2.6.5-rc2/net/ipv4/netfilter/ip_tables.c
979 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ip_tables.c 2004-03-20 00:11:03.000000000 +0000
980 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ip_tables.c 2004-03-22 09:02:27.000000000 +0000
982 * it under the terms of the GNU General Public License version 2 as
983 * published by the Free Software Foundation.
985 + * 6 Mar 2002 Robert Olsson <robban@robtex.com>
986 + * 17 Apr 2003 Chris Wilson <chris@netservers.co.uk>
987 + * - mark_source_chains speedup for complex chains
989 * 19 Jan 2002 Harald Welte <laforge@gnumonks.org>
990 * - increase module usage count as soon as we have rules inside
996 + /* keep track of where we have been: */
997 + unsigned char *been = vmalloc(newinfo->size);
999 /* No recursion; use packet counter to save back ptrs (reset
1000 to 0 as we leave), and comefrom to save source hook bitmask */
1001 for (hook = 0; hook < NF_IP_NUMHOOKS; hook++) {
1004 /* Set initial back pointer. */
1005 e->counters.pcnt = pos;
1006 + memset(been, 0, newinfo->size);
1009 struct ipt_standard_target *t
1011 if (e->comefrom & (1 << NF_IP_NUMHOOKS)) {
1012 printk("iptables: loop hook %u pos %u %08X.\n",
1013 hook, pos, e->comefrom);
1018 @@ -565,10 +574,14 @@
1020 int newpos = t->verdict;
1022 - if (strcmp(t->target.u.user.name,
1023 + if ( (pos < 0 || pos >= newinfo->size
1025 + && strcmp(t->target.u.user.name,
1026 IPT_STANDARD_TARGET) == 0
1028 /* This a jump; chase it. */
1029 + if (pos >= 0 && pos < newinfo->size)
1031 duprintf("Jump rule %u -> %u\n",
1036 duprintf("Finished chain %u\n", hook);
1042 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_CONNMARK.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_CONNMARK.c
1043 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_CONNMARK.c 1970-01-01 00:00:00.000000000 +0000
1044 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_CONNMARK.c 2004-03-22 09:08:35.000000000 +0000
1046 +/* This kernel module is used to modify the connection mark values, or
1047 + * to optionally restore the skb nfmark from the connection mark
1049 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
1050 + * by Henrik Nordstrom <hno@marasystems.com>
1052 + * This program is free software; you can redistribute it and/or modify
1053 + * it under the terms of the GNU General Public License as published by
1054 + * the Free Software Foundation; either version 2 of the License, or
1055 + * (at your option) any later version.
1057 + * This program is distributed in the hope that it will be useful,
1058 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
1059 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1060 + * GNU General Public License for more details.
1062 + * You should have received a copy of the GNU General Public License
1063 + * along with this program; if not, write to the Free Software
1064 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
1066 +#include <linux/module.h>
1067 +#include <linux/skbuff.h>
1068 +#include <linux/ip.h>
1069 +#include <net/checksum.h>
1071 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
1072 +MODULE_DESCRIPTION("IP tables CONNMARK matching module");
1073 +MODULE_LICENSE("GPL");
1075 +#include <linux/netfilter_ipv4/ip_tables.h>
1076 +#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
1077 +#include <linux/netfilter_ipv4/ip_conntrack.h>
1079 +static unsigned int
1080 +target(struct sk_buff **pskb,
1081 + const struct net_device *in,
1082 + const struct net_device *out,
1083 + unsigned int hooknum,
1084 + const void *targinfo,
1087 + const struct ipt_connmark_target_info *markinfo = targinfo;
1088 + unsigned long diff;
1089 + unsigned long nfmark;
1090 + unsigned long newmark;
1092 + enum ip_conntrack_info ctinfo;
1093 + struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
1095 + switch(markinfo->mode) {
1096 + case IPT_CONNMARK_SET:
1097 + newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
1098 + if (newmark != ct->mark)
1099 + ct->mark = newmark;
1101 + case IPT_CONNMARK_SAVE:
1102 + newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
1103 + if (ct->mark != newmark)
1104 + ct->mark = newmark;
1106 + case IPT_CONNMARK_RESTORE:
1107 + nfmark = (*pskb)->nfmark;
1108 + diff = (ct->mark ^ nfmark & markinfo->mask);
1110 + (*pskb)->nfmark = nfmark ^ diff;
1111 + (*pskb)->nfcache |= NFC_ALTERED;
1117 + return IPT_CONTINUE;
1121 +checkentry(const char *tablename,
1122 + const struct ipt_entry *e,
1124 + unsigned int targinfosize,
1125 + unsigned int hook_mask)
1127 + struct ipt_connmark_target_info *matchinfo = targinfo;
1128 + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
1129 + printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
1131 + IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
1135 + if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
1136 + if (strcmp(tablename, "mangle") != 0) {
1137 + printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
1145 +static struct ipt_target ipt_connmark_reg = {
1146 + .name = "CONNMARK",
1147 + .target = &target,
1148 + .checkentry = &checkentry,
1152 +static int __init init(void)
1154 + return ipt_register_target(&ipt_connmark_reg);
1157 +static void __exit fini(void)
1159 + ipt_unregister_target(&ipt_connmark_reg);
1164 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_IPMARK.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_IPMARK.c
1165 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_IPMARK.c 1970-01-01 00:00:00.000000000 +0000
1166 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_IPMARK.c 2004-03-22 09:00:56.000000000 +0000
1168 +/* This is a module which is used for setting the NFMARK field of an skb. */
1169 +#include <linux/module.h>
1170 +#include <linux/skbuff.h>
1171 +#include <linux/ip.h>
1172 +#include <net/checksum.h>
1174 +#include <linux/netfilter_ipv4/ip_tables.h>
1175 +#include <linux/netfilter_ipv4/ipt_IPMARK.h>
1177 +MODULE_AUTHOR("Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>");
1178 +MODULE_DESCRIPTION("IP tables IPMARK: mark based on ip address");
1179 +MODULE_LICENSE("GPL");
1181 +static unsigned int
1182 +target(struct sk_buff **pskb,
1183 + const struct net_device *in,
1184 + const struct net_device *out,
1185 + unsigned int hooknum,
1186 + const void *targinfo,
1189 + const struct ipt_ipmark_target_info *ipmarkinfo = targinfo;
1190 + struct iphdr *iph = (*pskb)->nh.iph;
1191 + unsigned long mark;
1193 + if (ipmarkinfo->addr == IPT_IPMARK_SRC)
1194 + mark = (unsigned long) ntohl(iph->saddr);
1196 + mark = (unsigned long) ntohl(iph->daddr);
1198 + mark &= ipmarkinfo->andmask;
1199 + mark |= ipmarkinfo->ormask;
1201 + if ((*pskb)->nfmark != mark) {
1202 + (*pskb)->nfmark = mark;
1203 + (*pskb)->nfcache |= NFC_ALTERED;
1205 + return IPT_CONTINUE;
1209 +checkentry(const char *tablename,
1210 + const struct ipt_entry *e,
1212 + unsigned int targinfosize,
1213 + unsigned int hook_mask)
1215 + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ipmark_target_info))) {
1216 + printk(KERN_WARNING "IPMARK: targinfosize %u != %Zu\n",
1218 + IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)));
1222 + if (strcmp(tablename, "mangle") != 0) {
1223 + printk(KERN_WARNING "IPMARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
1230 +static struct ipt_target ipt_ipmark_reg = {
1233 + .checkentry = checkentry,
1237 +static int __init init(void)
1239 + return ipt_register_target(&ipt_ipmark_reg);
1242 +static void __exit fini(void)
1244 + ipt_unregister_target(&ipt_ipmark_reg);
1249 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_XOR.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_XOR.c
1250 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_XOR.c 1970-01-01 00:00:00.000000000 +0000
1251 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_XOR.c 2004-03-22 09:01:18.000000000 +0000
1253 +/* XOR target for IP tables
1254 + * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be>
1255 + * Based on ipt_TTL.c
1259 + * This software is distributed under the terms of GNU GPL
1262 +#include <linux/module.h>
1263 +#include <linux/skbuff.h>
1264 +#include <linux/ip.h>
1265 +#include <linux/tcp.h>
1266 +#include <linux/udp.h>
1268 +#include <linux/netfilter_ipv4/ip_tables.h>
1269 +#include <linux/netfilter_ipv4/ipt_XOR.h>
1271 +MODULE_AUTHOR("Tim Vandermeersch <Tim.Vandermeersch@pandora.be>");
1272 +MODULE_DESCRIPTION("IP tables XOR module");
1273 +MODULE_LICENSE("GPL");
1275 +static unsigned int
1276 +ipt_xor_target(struct sk_buff **pskb,
1277 + const struct net_device *in, const struct net_device *out,
1278 + unsigned int hooknum, const void *targinfo, void *userinfo)
1280 + struct ipt_XOR_info *info = (void *) targinfo;
1281 + struct iphdr *iph;
1282 + struct tcphdr *tcph;
1283 + struct udphdr *udph;
1286 + if (!skb_ip_make_writable(pskb, (*pskb)->len))
1289 + iph = (*pskb)->nh.iph;
1291 + if (iph->protocol == IPPROTO_TCP) {
1292 + tcph = (struct tcphdr *) ((*pskb)->data + iph->ihl*4);
1293 + for (i=0, j=0; i<(ntohs(iph->tot_len) - iph->ihl*4 - tcph->doff*4); ) {
1294 + for (k=0; k<=info->block_size; k++) {
1295 + (char) (*pskb)->data[ iph->ihl*4 + tcph->doff*4 + i ] ^=
1300 + if (info->key[j] == 0x00)
1303 + } else if (iph->protocol == IPPROTO_UDP) {
1304 + udph = (struct udphdr *) ((*pskb)->data + iph->ihl*4);
1305 + for (i=0, j=0; i<(ntohs(udph->len)-8); ) {
1306 + for (k=0; k<=info->block_size; k++) {
1307 + (char) (*pskb)->data[ iph->ihl*4 + sizeof(struct udphdr) + i ] ^=
1312 + if (info->key[j] == 0x00)
1317 + return IPT_CONTINUE;
1320 +static int ipt_xor_checkentry(const char *tablename, const struct ipt_entry *e,
1321 + void *targinfo, unsigned int targinfosize,
1322 + unsigned int hook_mask)
1324 + struct ipt_XOR_info *info = targinfo;
1326 + if (targinfosize != IPT_ALIGN(sizeof(struct ipt_XOR_info))) {
1327 + printk(KERN_WARNING "XOR: targinfosize %u != %Zu\n",
1328 + targinfosize, IPT_ALIGN(sizeof(struct ipt_XOR_info)));
1332 + if (strcmp(tablename, "mangle")) {
1333 + printk(KERN_WARNING "XOR: can only be called from"
1334 + "\"mangle\" table, not \"%s\"\n", tablename);
1338 + if (!strcmp(info->key, "")) {
1339 + printk(KERN_WARNING "XOR: You must specify a key");
1343 + if (info->block_size == 0) {
1344 + printk(KERN_WARNING "XOR: You must specify a block-size");
1351 +static struct ipt_target ipt_XOR = {
1353 + .target = ipt_xor_target,
1354 + .checkentry = ipt_xor_checkentry,
1355 + .me = THIS_MODULE,
1358 +static int __init init(void)
1360 + return ipt_register_target(&ipt_XOR);
1363 +static void __exit fini(void)
1365 + ipt_unregister_target(&ipt_XOR);
1370 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_addrtype.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_addrtype.c
1371 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_addrtype.c 1970-01-01 00:00:00.000000000 +0000
1372 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_addrtype.c 2004-03-22 09:01:46.000000000 +0000
1375 + * iptables module to match inet_addr_type() of an ip.
1378 +#include <linux/module.h>
1379 +#include <linux/skbuff.h>
1380 +#include <linux/netdevice.h>
1381 +#include <net/route.h>
1383 +#include <linux/netfilter_ipv4/ipt_addrtype.h>
1384 +#include <linux/netfilter_ipv4/ip_tables.h>
1386 +MODULE_LICENSE("GPL");
1388 +static inline int match_type(u_int32_t addr, u_int16_t mask)
1390 + return !!(mask & (1 << inet_addr_type(addr)));
1393 +static int match(const struct sk_buff *skb, const struct net_device *in,
1394 + const struct net_device *out, const void *matchinfo,
1395 + int offset, int *hotdrop)
1397 + const struct ipt_addrtype_info *info = matchinfo;
1398 + const struct iphdr *iph = skb->nh.iph;
1402 + ret &= match_type(iph->saddr, info->source)^info->invert_source;
1404 + ret &= match_type(iph->daddr, info->dest)^info->invert_dest;
1409 +static int checkentry(const char *tablename, const struct ipt_ip *ip,
1410 + void *matchinfo, unsigned int matchsize,
1411 + unsigned int hook_mask)
1413 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_addrtype_info))) {
1414 + printk(KERN_ERR "ipt_addrtype: invalid size (%u != %u)\n.",
1415 + matchsize, IPT_ALIGN(sizeof(struct ipt_addrtype_info)));
1422 +static struct ipt_match addrtype_match = {
1423 + .name = "addrtype",
1425 + .checkentry = checkentry,
1429 +static int __init init(void)
1431 + return ipt_register_match(&addrtype_match);
1434 +static void __exit fini(void)
1436 + ipt_unregister_match(&addrtype_match);
1442 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_childlevel.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_childlevel.c
1443 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_childlevel.c 1970-01-01 00:00:00.000000000 +0000
1444 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_childlevel.c 2004-03-22 09:01:53.000000000 +0000
1447 + Kernel module to match the childlevel of a connection.
1448 + i.e. The ftp control stream is childlevel 0.
1449 + The ftp data stream is childlevel 1.
1451 + By Matthew Strait <quadong@users.sf.net>, Dec 2003.
1452 + http://l7-filter.sf.net
1454 + This program is free software; you can redistribute it and/or
1455 + modify it under the terms of the GNU General Public License
1456 + as published by the Free Software Foundation; either version
1457 + 2 of the License, or (at your option) any later version.
1458 + http://www.gnu.org/licenses/gpl.txt
1461 +#include <linux/module.h>
1462 +#include <linux/skbuff.h>
1463 +#include <linux/netfilter_ipv4/ip_conntrack.h>
1465 +#include <linux/netfilter_ipv4/ipt_childlevel.h>
1466 +#include <linux/netfilter_ipv4/ip_tables.h>
1468 +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>");
1469 +MODULE_LICENSE("GPL");
1470 +MODULE_DESCRIPTION("Childlevel match module");
1472 +static int match(const struct sk_buff *skb, const struct net_device *in,
1473 + const struct net_device *out, const void *matchinfo,
1474 + int offset, int *hotdrop)
1476 + struct ipt_childlevel_info * info = (struct ipt_childlevel_info *)matchinfo;
1477 + enum ip_conntrack_info ctinfo;
1478 + struct ip_conntrack * conntrack;
1479 + int childlevel = 0;
1481 + if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo))){
1482 + printk(KERN_ERR "Netfilter: childlevel: error getting conntrack, giving up.\n");
1486 + while (master_ct(conntrack) != NULL){
1488 + conntrack = master_ct(conntrack);
1491 + return ( (childlevel == info->childlevel) ^ info->invert);
1495 +checkentry(const char *tablename, const struct ipt_ip *ip,
1496 + void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
1498 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_childlevel_info)))
1503 +static struct ipt_match childlevel_match = {
1504 + .name = "childlevel",
1506 + .checkentry = &checkentry,
1510 +static int __init init(void)
1512 + return ipt_register_match(&childlevel_match);
1515 +static void __exit fini(void)
1517 + ipt_unregister_match(&childlevel_match);
1522 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_connmark.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_connmark.c
1523 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_connmark.c 1970-01-01 00:00:00.000000000 +0000
1524 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_connmark.c 2004-03-22 09:08:35.000000000 +0000
1526 +/* This kernel module matches connection mark values set by the
1529 + * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
1530 + * by Henrik Nordstrom <hno@marasystems.com>
1532 + * This program is free software; you can redistribute it and/or modify
1533 + * it under the terms of the GNU General Public License as published by
1534 + * the Free Software Foundation; either version 2 of the License, or
1535 + * (at your option) any later version.
1537 + * This program is distributed in the hope that it will be useful,
1538 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
1539 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1540 + * GNU General Public License for more details.
1542 + * You should have received a copy of the GNU General Public License
1543 + * along with this program; if not, write to the Free Software
1544 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
1547 +#include <linux/module.h>
1548 +#include <linux/skbuff.h>
1550 +MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
1551 +MODULE_DESCRIPTION("IP tables connmark match module");
1552 +MODULE_LICENSE("GPL");
1554 +#include <linux/netfilter_ipv4/ip_tables.h>
1555 +#include <linux/netfilter_ipv4/ipt_connmark.h>
1556 +#include <linux/netfilter_ipv4/ip_conntrack.h>
1559 +match(const struct sk_buff *skb,
1560 + const struct net_device *in,
1561 + const struct net_device *out,
1562 + const void *matchinfo,
1566 + const struct ipt_connmark_info *info = matchinfo;
1567 + enum ip_conntrack_info ctinfo;
1568 + struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
1572 + return ((ct->mark & info->mask) == info->mark) ^ info->invert;
1576 +checkentry(const char *tablename,
1577 + const struct ipt_ip *ip,
1579 + unsigned int matchsize,
1580 + unsigned int hook_mask)
1582 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
1588 +static struct ipt_match connmark_match = {
1589 + .name = "connmark",
1591 + .checkentry = &checkentry,
1595 +static int __init init(void)
1597 + return ipt_register_match(&connmark_match);
1600 +static void __exit fini(void)
1602 + ipt_unregister_match(&connmark_match);
1607 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_helper.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_helper.c
1608 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_helper.c 2004-03-22 08:57:53.000000000 +0000
1609 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_helper.c 2004-03-22 09:02:25.000000000 +0000
1611 DEBUGP("master's name = %s , info->name = %s\n",
1612 exp->expectant->helper->name, info->name);
1614 - ret ^= !strncmp(exp->expectant->helper->name, info->name,
1615 - strlen(exp->expectant->helper->name));
1616 + if (info->data[0] == '\0')
1619 + ret ^= !strncmp(exp->expectant->helper->name, info->name,
1620 + strlen(exp->expectant->helper->name));
1622 READ_UNLOCK(&ip_conntrack_lock);
1625 if (matchsize != IPT_ALIGN(sizeof(struct ipt_helper_info)))
1628 - /* verify that we actually should match anything */
1629 - if ( strlen(info->name) == 0 )
1635 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_owner.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_owner.c
1636 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_owner.c 2004-03-20 00:11:50.000000000 +0000
1637 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_owner.c 2004-03-22 09:02:35.000000000 +0000
1639 * This program is free software; you can redistribute it and/or modify
1640 * it under the terms of the GNU General Public License version 2 as
1641 * published by the Free Software Foundation.
1643 + * 03/26/2003 Patrick McHardy <kaber@trash.net> : LOCAL_IN support
1646 #include <linux/module.h>
1647 #include <linux/skbuff.h>
1648 #include <linux/file.h>
1649 +#include <linux/ip.h>
1650 +#include <linux/tcp.h>
1651 +#include <linux/udp.h>
1652 #include <net/sock.h>
1653 +#include <net/tcp.h>
1654 +#include <net/udp.h>
1656 #include <linux/netfilter_ipv4/ipt_owner.h>
1657 #include <linux/netfilter_ipv4/ip_tables.h>
1659 MODULE_DESCRIPTION("iptables owner match");
1662 -match_comm(const struct sk_buff *skb, const char *comm)
1663 +match_comm(const struct sock *sk, const char *comm)
1665 struct task_struct *g, *p;
1666 struct files_struct *files;
1668 spin_lock(&files->file_lock);
1669 for (i=0; i < files->max_fds; i++) {
1670 if (fcheck_files(files, i) ==
1671 - skb->sk->sk_socket->file) {
1672 + sk->sk_socket->file) {
1673 spin_unlock(&files->file_lock);
1675 read_unlock(&tasklist_lock);
1680 -match_pid(const struct sk_buff *skb, pid_t pid)
1681 +match_pid(const struct sock *sk, pid_t pid)
1683 struct task_struct *p;
1684 struct files_struct *files;
1686 spin_lock(&files->file_lock);
1687 for (i=0; i < files->max_fds; i++) {
1688 if (fcheck_files(files, i) ==
1689 - skb->sk->sk_socket->file) {
1690 + sk->sk_socket->file) {
1691 spin_unlock(&files->file_lock);
1693 read_unlock(&tasklist_lock);
1698 -match_sid(const struct sk_buff *skb, pid_t sid)
1699 +match_sid(const struct sock *sk, pid_t sid)
1701 struct task_struct *g, *p;
1702 - struct file *file = skb->sk->sk_socket->file;
1703 + struct file *file = sk->sk_socket->file;
1706 read_lock(&tasklist_lock);
1707 @@ -129,41 +136,71 @@
1710 const struct ipt_owner_info *info = matchinfo;
1711 + struct iphdr *iph = skb->nh.iph;
1712 + struct sock *sk = NULL;
1718 + if (iph->protocol == IPPROTO_TCP) {
1719 + struct tcphdr *tcph =
1720 + (struct tcphdr *)((u_int32_t *)iph + iph->ihl);
1721 + sk = tcp_v4_lookup(iph->saddr, tcph->source,
1722 + iph->daddr, tcph->dest,
1723 + skb->dev->ifindex);
1724 + if (sk && sk->sk_state == TCP_TIME_WAIT) {
1725 + tcp_tw_put((struct tcp_tw_bucket *)sk);
1728 + } else if (iph->protocol == IPPROTO_UDP) {
1729 + struct udphdr *udph =
1730 + (struct udphdr *)((u_int32_t *)iph + iph->ihl);
1731 + sk = udp_v4_lookup(iph->saddr, udph->source, iph->daddr,
1732 + udph->dest, skb->dev->ifindex);
1736 - if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
1738 + if (!sk || !sk->sk_socket || !sk->sk_socket->file)
1741 if(info->match & IPT_OWNER_UID) {
1742 - if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
1743 + if ((sk->sk_socket->file->f_uid != info->uid) ^
1744 !!(info->invert & IPT_OWNER_UID))
1749 if(info->match & IPT_OWNER_GID) {
1750 - if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
1751 + if ((sk->sk_socket->file->f_gid != info->gid) ^
1752 !!(info->invert & IPT_OWNER_GID))
1757 if(info->match & IPT_OWNER_PID) {
1758 - if (!match_pid(skb, info->pid) ^
1759 + if (!match_pid(sk, info->pid) ^
1760 !!(info->invert & IPT_OWNER_PID))
1765 if(info->match & IPT_OWNER_SID) {
1766 - if (!match_sid(skb, info->sid) ^
1767 + if (!match_sid(sk, info->sid) ^
1768 !!(info->invert & IPT_OWNER_SID))
1773 if(info->match & IPT_OWNER_COMM) {
1774 - if (!match_comm(skb, info->comm) ^
1775 + if (!match_comm(sk, info->comm) ^
1776 !!(info->invert & IPT_OWNER_COMM))
1792 @@ -173,11 +210,19 @@
1793 unsigned int matchsize,
1794 unsigned int hook_mask)
1797 - & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) {
1798 - printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
1802 + & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING) |
1803 + (1 << NF_IP_LOCAL_IN))) {
1804 + printk("ipt_owner: only valid for LOCAL_IN, LOCAL_OUT "
1805 + "or POST_ROUTING.\n");
1809 + if ((hook_mask & (1 << NF_IP_LOCAL_IN))
1810 + && ip->proto != IPPROTO_TCP && ip->proto != IPPROTO_UDP) {
1811 + printk("ipt_owner: only TCP or UDP can be used in LOCAL_IN\n");
1815 if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) {
1816 printk("Matchsize %u != %Zu\n", matchsize,
1817 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_policy.c linux-2.6.5-rc2/net/ipv4/netfilter/ipt_policy.c
1818 --- linux-2.6.5-rc2.org/net/ipv4/netfilter/ipt_policy.c 1970-01-01 00:00:00.000000000 +0000
1819 +++ linux-2.6.5-rc2/net/ipv4/netfilter/ipt_policy.c 2004-03-22 09:02:50.000000000 +0000
1821 +/* IP tables module for matching IPsec policy
1823 + * Copyright (c) 2004 Patrick McHardy, <kaber@trash.net>
1825 + * This program is free software; you can redistribute it and/or modify
1826 + * it under the terms of the GNU General Public License version 2 as
1827 + * published by the Free Software Foundation.
1830 +#include <linux/kernel.h>
1831 +#include <linux/config.h>
1832 +#include <linux/module.h>
1833 +#include <linux/skbuff.h>
1834 +#include <linux/init.h>
1835 +#include <net/xfrm.h>
1837 +#include <linux/netfilter_ipv4.h>
1838 +#include <linux/netfilter_ipv4/ipt_policy.h>
1839 +#include <linux/netfilter_ipv4/ip_tables.h>
1841 +MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
1842 +MODULE_DESCRIPTION("IPtables IPsec policy matching module");
1843 +MODULE_LICENSE("GPL");
1847 +match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e)
1849 +#define MISMATCH(x,y) (e->match.x && ((e->x != (y)) ^ e->invert.x))
1851 + if (MISMATCH(saddr, x->props.saddr.a4 & e->smask) ||
1852 + MISMATCH(daddr, x->id.daddr.a4 & e->dmask) ||
1853 + MISMATCH(proto, x->id.proto) ||
1854 + MISMATCH(mode, x->props.mode) ||
1855 + MISMATCH(spi, x->id.spi) ||
1856 + MISMATCH(reqid, x->props.reqid))
1862 +match_policy_in(const struct sk_buff *skb, const struct ipt_policy_info *info)
1864 + const struct ipt_policy_elem *e;
1865 + struct sec_path *sp = skb->sp;
1866 + int strict = info->flags & POLICY_MATCH_STRICT;
1871 + if (strict && info->len != sp->len)
1874 + for (i = sp->len - 1; i >= 0; i--) {
1875 + pos = strict ? i - sp->len + 1 : 0;
1876 + if (pos >= info->len)
1878 + e = &info->pol[pos];
1880 + if (match_xfrm_state(sp->x[i].xvec, e)) {
1883 + } else if (strict)
1887 + return strict ? 1 : 0;
1891 +match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info)
1893 + const struct ipt_policy_elem *e;
1894 + struct dst_entry *dst = skb->dst;
1895 + int strict = info->flags & POLICY_MATCH_STRICT;
1898 + if (dst->xfrm == NULL)
1901 + for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
1902 + pos = strict ? i : 0;
1903 + if (pos >= info->len)
1905 + e = &info->pol[pos];
1907 + if (match_xfrm_state(dst->xfrm, e)) {
1910 + } else if (strict)
1914 + return strict ? 1 : 0;
1917 +static int match(const struct sk_buff *skb,
1918 + const struct net_device *in,
1919 + const struct net_device *out,
1920 + const void *matchinfo, int offset, int *hotdrop)
1922 + const struct ipt_policy_info *info = matchinfo;
1925 + if (info->flags & POLICY_MATCH_IN)
1926 + ret = match_policy_in(skb, info);
1928 + ret = match_policy_out(skb, info);
1931 + if (info->flags & POLICY_MATCH_NONE)
1935 + } else if (info->flags & POLICY_MATCH_NONE)
1941 +static int checkentry(const char *tablename, const struct ipt_ip *ip,
1942 + void *matchinfo, unsigned int matchsize,
1943 + unsigned int hook_mask)
1945 + struct ipt_policy_info *info = matchinfo;
1947 + if (matchsize != IPT_ALIGN(sizeof(*info))) {
1948 + printk(KERN_ERR "ipt_policy: matchsize %u != %u\n",
1949 + matchsize, IPT_ALIGN(sizeof(*info)));
1952 + if (!(info->flags & (POLICY_MATCH_IN|POLICY_MATCH_OUT))) {
1953 + printk(KERN_ERR "ipt_policy: neither incoming nor "
1954 + "outgoing policy selected\n");
1957 + if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
1958 + && info->flags & POLICY_MATCH_OUT) {
1959 + printk(KERN_ERR "ipt_policy: output policy not valid in "
1960 + "PRE_ROUTING and INPUT\n");
1963 + if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
1964 + && info->flags & POLICY_MATCH_IN) {
1965 + printk(KERN_ERR "ipt_policy: input policy not valid in "
1966 + "POST_ROUTING and OUTPUT\n");
1969 + if (info->len > POLICY_MAX_ELEM) {
1970 + printk(KERN_ERR "ipt_policy: too many policy elements\n");
1977 +static struct ipt_match policy_match =
1981 + .checkentry = checkentry,
1982 + .me = THIS_MODULE,
1985 +static int __init init(void)
1987 + return ipt_register_match(&policy_match);
1990 +static void __exit fini(void)
1992 + ipt_unregister_match(&policy_match);
1997 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/tcp_ipv4.c linux-2.6.5-rc2/net/ipv4/tcp_ipv4.c
1998 --- linux-2.6.5-rc2.org/net/ipv4/tcp_ipv4.c 2004-03-20 00:11:04.000000000 +0000
1999 +++ linux-2.6.5-rc2/net/ipv4/tcp_ipv4.c 2004-03-22 09:02:35.000000000 +0000
2000 @@ -2667,6 +2667,7 @@
2001 EXPORT_SYMBOL(tcp_v4_connect);
2002 EXPORT_SYMBOL(tcp_v4_do_rcv);
2003 EXPORT_SYMBOL(tcp_v4_lookup_listener);
2004 +EXPORT_SYMBOL(tcp_v4_lookup);
2005 EXPORT_SYMBOL(tcp_v4_rebuild_header);
2006 EXPORT_SYMBOL(tcp_v4_remember_stamp);
2007 EXPORT_SYMBOL(tcp_v4_send_check);
2008 diff -Nur --exclude '*.orig' linux-2.6.5-rc2.org/net/ipv4/udp.c linux-2.6.5-rc2/net/ipv4/udp.c
2009 --- linux-2.6.5-rc2.org/net/ipv4/udp.c 2004-03-20 00:11:02.000000000 +0000
2010 +++ linux-2.6.5-rc2/net/ipv4/udp.c 2004-03-22 09:02:35.000000000 +0000
2011 @@ -1543,6 +1543,7 @@
2012 EXPORT_SYMBOL(udp_port_rover);
2013 EXPORT_SYMBOL(udp_prot);
2014 EXPORT_SYMBOL(udp_sendmsg);
2015 +EXPORT_SYMBOL(udp_v4_lookup);
2017 #ifdef CONFIG_PROC_FS
2018 EXPORT_SYMBOL(udp_proc_register);