From: Gabor Juhos Date: Tue, 15 Apr 2008 06:11:23 +0000 (+0000) Subject: update iptables to 1.4.0 (2.6 kernels only), refresh kernel patches X-Git-Tag: reboot~26756 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=d80f43d15f4e1fb9c8c45fdafc7f0c8838573047;p=openwrt%2Fopenwrt.git update iptables to 1.4.0 (2.6 kernels only), refresh kernel patches SVN-Revision: 10843 --- diff --git a/include/netfilter.mk b/include/netfilter.mk index ee0dbf3a13..7e7005d2a2 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -100,6 +100,7 @@ $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_STATISTIC, $(P_XT)xt_st $(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TCPMSS, $(P_V4)ipt_tcpmss)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TCPMSS, $(P_XT)xt_tcpmss)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TIME, $(P_V4)ipt_time)) +$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TOS, $(P_V4)ipt_tos)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TTL, $(P_V4)ipt_ttl)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_UNCLEAN, $(P_V4)ipt_unclean)) @@ -249,6 +250,9 @@ $(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG)) IPT_BUILTIN := $(if $(NF_KMOD),,$(P_V4)ipt_standard) IPT_BUILTIN += $(if $(NF_KMOD),,$(P_V4)ipt_icmp $(P_V4)ipt_tcp $(P_V4)ipt_udp) +IPT_BUILTIN += $(if $(NF_KMOD),,$(P_XT)xt_standard) +IPT_BUILTIN += $(if $(NF_KMOD),,$(P_XT)xt_icmp $(P_XT)xt_tcp $(P_XT)xt_udp) + IPT_BUILTIN += $(IPT_CONNTRACK-y) IPT_BUILTIN += $(IPT_EXTRA-y) IPT_BUILTIN += $(IPT_FILTER-y) diff --git a/package/iptables/Makefile b/package/iptables/Makefile index 8f24a3b3db..ff55ce590a 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -1,5 +1,5 @@ -# -# Copyright (C) 2006 OpenWrt.org +# +# Copyright (C) 2006-2008 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -10,15 +10,28 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables -PKG_VERSION:=1.3.8 -PKG_RELEASE:=2 + +ifeq ($(CONFIG_LINUX_2_4),y) + PKG_VERSION:=1.3.8 + PKG_RELEASE:=3 + PKG_MD5SUM:=0a9209f928002e5eee9cdff8fef4d4b3 +endif + +ifeq ($(CONFIG_LINUX_2_6),y) + PKG_VERSION:=1.4.0 + PKG_RELEASE:=1 + PKG_MD5SUM:=90cfa8a554a29b0b859a625e701af2a7 +endif + +PKG_VERSION?= PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \ ftp://ftp.no.netfilter.org/pub/netfilter/iptables/ -PKG_MD5SUM:=0a9209f928002e5eee9cdff8fef4d4b3 + +PATCH_DIR:=./patches/$(PKG_VERSION) include $(INCLUDE_DIR)/package.mk ifeq ($(DUMP),) @@ -33,6 +46,11 @@ define Package/iptables/Default URL:=http://netfilter.org/ endef +define Package/iptables/Module +$(call Package/iptables/Default) + DEPENDS:=iptables $(1) +endef + define Package/iptables $(call Package/iptables/Default) TITLE:=IPv4 firewall administration tool @@ -45,8 +63,7 @@ define Package/iptables/conffiles endef define Package/iptables-mod-conntrack -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-conntrack +$(call Package/iptables/Module, +kmod-ipt-conntrack) TITLE:=connection tracking modules endef @@ -59,39 +76,36 @@ define Package/iptables-mod-conntrack/description endef define Package/iptables-mod-filter -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-filter +$(call Package/iptables/Module, +kmod-ipt-filter) TITLE:=filter modules endef define Package/iptables-mod-filter/description iptables extensions for packet content inspection. - Includes: + Includes: - libipt_ipp2p - - libipt_layer7 + - libipt_layer7 endef define Package/iptables-mod-imq -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-imq +$(call Package/iptables/Module, +kmod-ipt-imq) TITLE:=IMQ support endef define Package/iptables-mod-imq/description iptables extension for IMQ support. - Includes: + Includes: - libipt_IMQ endef define Package/iptables-mod-ipopt -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-ipopt +$(call Package/iptables/Module, +kmod-ipt-ipopt) TITLE:=IP/Packet option modules endef define Package/iptables-mod-ipopt/description iptables extensions for matching/changing IP packet options.\\\ - Includes: + Includes: - libipt_CLASSIFY - libipt_dscp/DSCP - libipt_ecn/ECN @@ -102,68 +116,63 @@ define Package/iptables-mod-ipopt/description - libipt_tcpmms - libipt_tos/TOS - libipt_ttl/TTL - - libipt_unclean + - libipt_unclean endef define Package/iptables-mod-ipsec -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-ipsec +$(call Package/iptables/Module, +kmod-ipt-ipsec) TITLE:=IPSec extensions endef define Package/iptables-mod-ipsec/description iptables extensions for matching ipsec traffic. - Includes: + Includes: - libipt_ah - libipt_esp - libipt_policy endef define Package/iptables-mod-nat -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-nat +$(call Package/iptables/Module, +kmod-ipt-nat) TITLE:=extra NAT targets endef define Package/iptables-mod-nat/description iptables extensions for different NAT targets. - Includes: + Includes: - libipt_REDIRECT endef define Package/iptables-mod-ulog -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-ulog +$(call Package/iptables/Module, +kmod-ipt-ulog) TITLE:=user-space packet logging endef define Package/iptables-mod-ulog/description iptables extensions for user-space packet logging. - Includes: + Includes: - libipt_ULOG endef define Package/iptables-mod-iprange -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-iprange +$(call Package/iptables/Module, +kmod-ipt-iprange) TITLE:=ip range module endef define Package/iptables-mod-iprange/description iptables extensions for matching ip ranges. - Includes: + Includes: - libipt_iprange endef define Package/iptables-mod-extra -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-extra +$(call Package/iptables/Module, +kmod-ipt-extra) TITLE:=other extra iptables extensions endef define Package/iptables-mod-extra/description other extra iptables extensions. - Includes: + Includes: - libipt_limit - libipt_owner - libipt_physdev @@ -177,37 +186,36 @@ define Package/iptables-mod-extra/description endef define Package/iptables-mod-ipset -$(call Package/iptables/Default) - DEPENDS:=iptables +kmod-ipt-ipset +$(call Package/iptables/Module, +kmod-ipt-ipset) TITLE:=ipset iptables extension endef define Package/iptables-utils -$(call Package/iptables/Default) - DEPENDS:=iptables +$(call Package/iptables/Module, ) TITLE:=iptables save and restore utilities endef define Package/ip6tables $(call Package/iptables/Default) - DEPENDS:=+kmod-ipv6 - CATEGORY:=Network + DEPENDS:=+kmod-ip6tables + CATEGORY:=IPv6 TITLE:=IPv6 firewall administration tool + MENU:=1 endef define Package/ip6tables-utils $(call Package/iptables/Default) DEPENDS:=ip6tables - CATEGORY:=Network + CATEGORY:=IPv6 TITLE:=ip6tables save and restore utilities endef define Build/Prepare $(call Build/Prepare/Default) - chmod a+x $(PKG_BUILD_DIR)/extensions/.*-test* endef define Build/Configure + chmod a+x $(PKG_BUILD_DIR)/extensions/.*-test* rm -f $(PKG_BUILD_DIR)/.configured* $(MAKE) -C $(PKG_BUILD_DIR) \ clean @@ -220,6 +228,7 @@ define Build/Compile COPT_FLAGS="$(TARGET_CFLAGS)" \ LDFLAGS="-rdynamic -static-libgcc" \ KERNEL_DIR="$(LINUX_DIR)" PREFIX=/usr \ + KBUILD_OUTPUT="$(LINUX_DIR)" \ DESTDIR="$(PKG_INSTALL_DIR)" \ all experimental install install-experimental endef @@ -229,6 +238,7 @@ define Build/InstallDev $(TARGET_CONFIGURE_OPTS) \ COPT_FLAGS="$(TARGET_CFLAGS)" \ KERNEL_DIR="$(LINUX_DIR)" PREFIX=/usr \ + KBUILD_OUTPUT="$(LINUX_DIR)" \ DESTDIR="$(1)" \ install-devel $(CP) $(PKG_BUILD_DIR)/include $(1)/usr @@ -247,7 +257,11 @@ define Package/iptables/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/usr/lib/iptables (cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \ - $(CP) $(patsubst %,lib%.so,$(IPT_BUILTIN:xt_%=ipt_%)) $(1)/usr/lib/iptables/ \ + for m in $(patsubst xt_%,ipt_%,$(IPT_BUILTIN)) $(patsubst ipt_%,xt_%,$(IPT_BUILTIN)); do \ + if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$${m}.so ]; then \ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$${m}.so $(1)/usr/lib/iptables/ ;\ + fi; \ + done \ ) endef @@ -273,8 +287,10 @@ endef define BuildPlugin define Package/$(1)/install $(INSTALL_DIR) $$(1)/usr/lib/iptables - for m in $$(patsubst xt_%,ipt_%,$(2)); do \ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ + for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \ + if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ + fi; \ done $(3) endef diff --git a/package/iptables/patches/001-ipp2p-0.8.1rc1.patch b/package/iptables/patches/001-ipp2p-0.8.1rc1.patch deleted file mode 100644 index 7ca62d2140..0000000000 --- a/package/iptables/patches/001-ipp2p-0.8.1rc1.patch +++ /dev/null @@ -1,457 +0,0 @@ -Index: iptables-1.3.8/extensions/Makefile -=================================================================== ---- iptables-1.3.8.orig/extensions/Makefile 2007-07-31 15:27:55.000000000 -0500 -+++ iptables-1.3.8/extensions/Makefile 2007-07-31 15:27:55.000000000 -0500 -@@ -13,6 +13,10 @@ - PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK - endif - -+ -+# ipp2p -+PF_EXT_SLIB += ipp2p -+ - # Optionals - PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) - PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) -Index: iptables-1.3.8/extensions/libipt_ipp2p.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/libipt_ipp2p.c 2007-07-31 15:27:55.000000000 -0500 -@@ -0,0 +1,401 @@ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+#include -+ -+static void -+help(void) -+{ -+ printf( -+ "IPP2P v%s options:\n" -+ " --ipp2p Grab all known p2p packets\n" -+ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n" -+ " --dc [TCP] All known Direct Connect packets\n" -+ " --kazaa [TCP&UDP] All known KaZaA packets\n" -+ " --gnu [TCP&UDP] All known Gnutella packets\n" -+ " --bit [TCP&UDP] All known BitTorrent packets\n" -+ " --apple [TCP] All known AppleJuice packets\n" -+ " --winmx [TCP] All known WinMX\n" -+ " --soul [TCP] All known SoulSeek\n" -+ " --ares [TCP] All known Ares\n\n" -+ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n" -+ " --mute [TCP] All known Mute packets\n" -+ " --waste [TCP] All known Waste packets\n" -+ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n" -+ " DEBUG SUPPPORT, use only if you know why\n" -+ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n" -+ "\nNote that the follwing options will have the same meaning:\n" -+ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n" -+ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" -+ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" -+ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" -+ "\nExamples:\n" -+ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" -+ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" -+ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" -+ , IPP2P_VERSION); -+} -+ -+static struct option opts[] = { -+ { "ipp2p", 0, 0, '1' }, -+ { "edk", 0, 0, '2' }, -+ { "dc", 0, 0, '7' }, -+ { "gnu", 0, 0, '9' }, -+ { "kazaa", 0, 0, 'a' }, -+ { "bit", 0, 0, 'b' }, -+ { "apple", 0, 0, 'c' }, -+ { "soul", 0, 0, 'd' }, -+ { "winmx", 0, 0, 'e' }, -+ { "ares", 0, 0, 'f' }, -+ { "mute", 0, 0, 'g' }, -+ { "waste", 0, 0, 'h' }, -+ { "xdcc", 0, 0, 'i' }, -+ { "debug", 0, 0, 'j' }, -+ {0} -+}; -+ -+ -+ -+static void -+init(struct ipt_entry_match *m, unsigned int *nfcache) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; -+ -+ *nfcache |= NFC_UNKNOWN; -+ -+ /*init the module with default values*/ -+ info->cmd = 0; -+ info->debug = 0; -+ -+} -+ -+ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, -+ unsigned int *nfcache, -+ struct ipt_entry_match **match) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; -+ -+ switch (c) { -+ case '1': /*cmd: ipp2p*/ -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified once!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags) != 0) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += SHORT_HAND_IPP2P; -+ info->cmd = *flags; -+ break; -+ -+ case '2': /*cmd: edk*/ -+ if ((*flags & IPP2P_EDK) == IPP2P_EDK) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--edk' may only be " -+ "specified once"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_EDK; -+ info->cmd = *flags; -+ break; -+ -+ -+ case '7': /*cmd: dc*/ -+ if ((*flags & IPP2P_DC) == IPP2P_DC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--dc' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_DC; -+ info->cmd = *flags; -+ break; -+ -+ -+ case '9': /*cmd: gnu*/ -+ if ((*flags & IPP2P_GNU) == IPP2P_GNU) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--gnu' may only be " -+ "specified once!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_GNU; -+ info->cmd = *flags; -+ break; -+ -+ case 'a': /*cmd: kazaa*/ -+ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--kazaa' may only be " -+ "specified once!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_KAZAA; -+ info->cmd = *flags; -+ break; -+ -+ case 'b': /*cmd: bit*/ -+ if ((*flags & IPP2P_BIT) == IPP2P_BIT) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--bit' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_BIT; -+ info->cmd = *flags; -+ break; -+ -+ case 'c': /*cmd: apple*/ -+ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--apple' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_APPLE; -+ info->cmd = *flags; -+ break; -+ -+ -+ case 'd': /*cmd: soul*/ -+ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--soul' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_SOUL; -+ info->cmd = *flags; -+ break; -+ -+ -+ case 'e': /*cmd: winmx*/ -+ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--winmx' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_WINMX; -+ info->cmd = *flags; -+ break; -+ -+ case 'f': /*cmd: ares*/ -+ if ((*flags & IPP2P_ARES) == IPP2P_ARES) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ares' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_ARES; -+ info->cmd = *flags; -+ break; -+ -+ case 'g': /*cmd: mute*/ -+ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--mute' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_MUTE; -+ info->cmd = *flags; -+ break; -+ case 'h': /*cmd: waste*/ -+ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--waste' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_WASTE; -+ info->cmd = *flags; -+ break; -+ case 'i': /*cmd: xdcc*/ -+ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ares' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_XDCC; -+ info->cmd = *flags; -+ break; -+ -+ case 'j': /*cmd: debug*/ -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ info->debug = 1; -+ break; -+ -+ default: -+// exit_error(PARAMETER_PROBLEM, -+// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+ -+static void -+final_check(unsigned int flags) -+{ -+ if (!flags) -+ exit_error(PARAMETER_PROBLEM, -+ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); -+} -+ -+ -+ -+static void -+print(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match, -+ int numeric) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; -+ -+ printf("ipp2p v%s", IPP2P_VERSION); -+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p"); -+// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data"); -+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa"); -+// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data"); -+// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data"); -+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu"); -+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk"); -+// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data"); -+// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data"); -+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc"); -+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit"); -+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple"); -+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul"); -+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx"); -+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares"); -+ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); -+ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); -+ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); -+ if (info->debug != 0) printf(" --debug"); -+ printf(" "); -+} -+ -+ -+ -+static void -+save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; -+ -+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p "); -+// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data "); -+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa "); -+// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data "); -+// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data "); -+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu "); -+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk "); -+// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data "); -+// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data "); -+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc "); -+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit "); -+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple "); -+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul "); -+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx "); -+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares "); -+ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); -+ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); -+ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); -+ if (info->debug != 0) printf("--debug "); -+} -+ -+ -+ -+ -+static -+struct iptables_match ipp2p= -+{ -+ .next = NULL, -+ .name = "ipp2p", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+ -+ -+void _init(void) -+{ -+ register_match(&ipp2p); -+} -+ -Index: iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-07-31 15:27:55.000000000 -0500 -@@ -0,0 +1,31 @@ -+#ifndef __IPT_IPP2P_H -+#define __IPT_IPP2P_H -+#define IPP2P_VERSION "0.8.1_rc1" -+ -+struct ipt_p2p_info { -+ int cmd; -+ int debug; -+}; -+ -+#endif //__IPT_IPP2P_H -+ -+#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ -+//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ -+#define SHORT_HAND_NONE 5 /* no short hand*/ -+ -+#define IPP2P_EDK (1 << 1) -+#define IPP2P_DATA_KAZAA (1 << 2) -+#define IPP2P_DATA_EDK (1 << 3) -+#define IPP2P_DATA_DC (1 << 4) -+#define IPP2P_DC (1 << 5) -+#define IPP2P_DATA_GNU (1 << 6) -+#define IPP2P_GNU (1 << 7) -+#define IPP2P_KAZAA (1 << 8) -+#define IPP2P_BIT (1 << 9) -+#define IPP2P_APPLE (1 << 10) -+#define IPP2P_SOUL (1 << 11) -+#define IPP2P_WINMX (1 << 12) -+#define IPP2P_ARES (1 << 13) -+#define IPP2P_MUTE (1 << 14) -+#define IPP2P_WASTE (1 << 15) -+#define IPP2P_XDCC (1 << 16) diff --git a/package/iptables/patches/002-layer7-1.5nbd.patch b/package/iptables/patches/002-layer7-1.5nbd.patch deleted file mode 100644 index ef80c8f0cc..0000000000 --- a/package/iptables/patches/002-layer7-1.5nbd.patch +++ /dev/null @@ -1,421 +0,0 @@ -Index: iptables-1.3.8/extensions/.layer7-test -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/.layer7-test 2007-07-31 15:27:56.000000000 -0500 -@@ -0,0 +1,3 @@ -+#! /bin/sh -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7 -+[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7 -Index: iptables-1.3.8/extensions/ipt_layer7.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/ipt_layer7.h 2007-07-31 15:27:56.000000000 -0500 -@@ -0,0 +1,27 @@ -+/* -+ By Matthew Strait , Dec 2003. -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+*/ -+ -+#ifndef _IPT_LAYER7_H -+#define _IPT_LAYER7_H -+ -+#define MAX_PATTERN_LEN 8192 -+#define MAX_PROTOCOL_LEN 256 -+ -+typedef char *(*proc_ipt_search) (char *, char, char *); -+ -+struct ipt_layer7_info { -+ char protocol[MAX_PROTOCOL_LEN]; -+ char invert:1; -+ char pattern[MAX_PATTERN_LEN]; -+ char pkt; -+}; -+ -+#endif /* _IPT_LAYER7_H */ -Index: iptables-1.3.8/extensions/libipt_layer7.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/libipt_layer7.c 2007-07-31 15:27:56.000000000 -0500 -@@ -0,0 +1,358 @@ -+/* -+ Shared library add-on to iptables to add layer 7 matching support. -+ -+ By Matthew Strait , Oct 2003. -+ -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+ -+ Based on libipt_string.c (C) 2000 Emmanuel Roger -+*/ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include "ipt_layer7.h" -+ -+#define MAX_FN_LEN 256 -+ -+static char l7dir[MAX_FN_LEN] = "\0"; -+ -+/* Function which prints out usage message. */ -+static void help(void) -+{ -+ printf( -+ "LAYER7 match v%s options:\n" -+ "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" -+ " (--l7dir must be specified before --l7proto if used!)\n" -+ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n" -+ "--l7pkt : Skip connection tracking and match individual packets\n", -+ IPTABLES_VERSION); -+ fputc('\n', stdout); -+} -+ -+static struct option opts[] = { -+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, -+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, -+ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' }, -+ { .name = 0 } -+}; -+ -+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ -+int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info) -+{ -+ FILE * f; -+ char * line = NULL; -+ size_t len = 0; -+ -+ enum { protocol, pattern, done } datatype = protocol; -+ -+ f = fopen(filename, "r"); -+ -+ if(!f) -+ return 0; -+ -+ while(getline(&line, &len, f) != -1) -+ { -+ if(strlen(line) < 2 || line[0] == '#') -+ continue; -+ -+ /* strip the pesky newline... */ -+ if(line[strlen(line) - 1] == '\n') -+ line[strlen(line) - 1] = '\0'; -+ -+ if(datatype == protocol) -+ { -+ if(strcmp(line, protoname)) -+ exit_error(OTHER_PROBLEM, -+ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", -+ protoname, filename); -+ -+ if(strlen(line) >= MAX_PROTOCOL_LEN) -+ exit_error(PARAMETER_PROBLEM, -+ "Protocol name in %s too long!", filename); -+ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); -+ -+ datatype = pattern; -+ } -+ else if(datatype == pattern) -+ { -+ if(strlen(line) >= MAX_PATTERN_LEN) -+ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); -+ strncpy(info->pattern, line, MAX_PATTERN_LEN); -+ -+ datatype = done; -+ break; -+ } -+ else -+ exit_error(OTHER_PROBLEM, "Internal error"); -+ } -+ -+ if(datatype != done) -+ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); -+ -+ if(line) free(line); -+ fclose(f); -+ -+ return 1; -+ -+/* -+ fprintf(stderr, "protocol: %s\npattern: %s\n\n", -+ info->protocol, -+ info->pattern); -+*/ -+} -+ -+static int hex2dec(char c) -+{ -+ switch (c) -+ { -+ case '0' ... '9': -+ return c - '0'; -+ case 'a' ... 'f': -+ return c - 'a' + 10; -+ case 'A' ... 'F': -+ return c - 'A' + 10; -+ default: -+ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); -+ return 0; -+ } -+} -+ -+/* takes a string with \xHH escapes and returns one with the characters -+they stand for */ -+static char * pre_process(char * s) -+{ -+ char * result = malloc(strlen(s) + 1); -+ int sindex = 0, rindex = 0; -+ while( sindex < strlen(s) ) -+ { -+ if( sindex + 3 < strlen(s) && -+ s[sindex] == '\\' && s[sindex+1] == 'x' && -+ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) -+ { -+ /* carefully remember to call tolower here... */ -+ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + -+ hex2dec(s[sindex + 3] ) ); -+ sindex += 3; /* 4 total */ -+ } -+ else -+ result[rindex] = tolower(s[sindex]); -+ -+ sindex++; -+ rindex++; -+ } -+ result[rindex] = '\0'; -+ -+ return result; -+} -+ -+#define MAX_SUBDIRS 128 -+char ** readl7dir(char * dirname) -+{ -+ DIR * scratchdir; -+ struct dirent ** namelist; -+ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); -+ -+ int n, d = 1; -+ subdirs[0] = ""; -+ -+ n = scandir(dirname, &namelist, 0, alphasort); -+ -+ if (n < 0) -+ { -+ perror("scandir"); -+ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); -+ } -+ else -+ { -+ while(n--) -+ { -+ char fulldirname[MAX_FN_LEN]; -+ -+ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); -+ -+ if((scratchdir = opendir(fulldirname)) != NULL) -+ { -+ closedir(scratchdir); -+ -+ if(!strcmp(namelist[n]->d_name, ".") || -+ !strcmp(namelist[n]->d_name, "..")) -+ /* do nothing */ ; -+ else -+ { -+ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); -+ strcpy(subdirs[d], namelist[n]->d_name); -+ d++; -+ if(d >= MAX_SUBDIRS - 1) -+ { -+ fprintf(stderr, -+ "Too many subdirectories, skipping the rest!\n"); -+ break; -+ } -+ } -+ } -+ free(namelist[n]); -+ } -+ free(namelist); -+ } -+ -+ subdirs[d] = NULL; -+ -+ return subdirs; -+} -+ -+static void -+parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info) -+{ -+ char filename[MAX_FN_LEN]; -+ char * dir = NULL; -+ char ** subdirs; -+ int n = 0, done = 0; -+ -+ if(strlen(l7dir) > 0) -+ dir = l7dir; -+ else -+ dir = "/etc/l7-protocols"; -+ -+ subdirs = readl7dir(dir); -+ -+ while(subdirs[n] != NULL) -+ { -+ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); -+ -+ //fprintf(stderr, "Trying to find pattern in %s ... ", filename); -+ -+ if(c > MAX_FN_LEN) -+ { -+ exit_error(OTHER_PROBLEM, -+ "Filename beginning with %s is too long!\n", filename); -+ } -+ -+ /* read in the pattern from the file */ -+ if(parse_protocol_file(filename, s, info)) -+ { -+ //fprintf(stderr, "found\n"); -+ done = 1; -+ break; -+ } -+ -+ //fprintf(stderr, "not found\n"); -+ -+ n++; -+ } -+ -+ if(!done) -+ exit_error(OTHER_PROBLEM, -+ "Couldn't find a pattern definition file for %s.\n", s); -+ -+ /* process \xHH escapes and tolower everything. (our regex lib has no -+ case insensitivity option.) */ -+ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); -+} -+ -+/* Function which parses command options; returns true if it ate an option */ -+static int parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, unsigned int *nfcache, -+ struct ipt_entry_match **match) -+{ -+ struct ipt_layer7_info *layer7info = -+ (struct ipt_layer7_info *)(*match)->data; -+ -+ switch (c) { -+ case '1': -+ check_inverse(optarg, &invert, &optind, 0); -+ parse_layer7_protocol(argv[optind-1], layer7info); -+ if (invert) -+ layer7info->invert = 1; -+ *flags = 1; -+ break; -+ -+ case '2': -+ /* not going to use this, but maybe we need to strip a ! anyway (?) */ -+ check_inverse(optarg, &invert, &optind, 0); -+ -+ if(strlen(argv[optind-1]) >= MAX_FN_LEN) -+ exit_error(PARAMETER_PROBLEM, "directory name too long\n"); -+ -+ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); -+ -+ *flags = 1; -+ break; -+ case '3': -+ layer7info->pkt = 1; -+ break; -+ -+ default: -+ return 0; -+ } -+ -+ return 1; -+} -+ -+/* Final check; must have specified --pattern. */ -+static void final_check(unsigned int flags) -+{ -+ if (!flags) -+ exit_error(PARAMETER_PROBLEM, -+ "LAYER7 match: You must specify `--pattern'"); -+} -+ -+static void print_protocol(char s[], int invert, int numeric) -+{ -+ fputs("l7proto ", stdout); -+ if (invert) fputc('!', stdout); -+ printf("%s ", s); -+} -+ -+/* Prints out the matchinfo. */ -+static void print(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match, -+ int numeric) -+{ -+ printf("LAYER7 "); -+ -+ print_protocol(((struct ipt_layer7_info *)match->data)->protocol, -+ ((struct ipt_layer7_info *)match->data)->invert, numeric); -+ -+ if (((struct ipt_layer7_info *)match->data)->pkt) -+ printf("l7pkt "); -+} -+/* Saves the union ipt_matchinfo in parsable form to stdout. */ -+static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -+{ -+ const struct ipt_layer7_info *info = -+ (const struct ipt_layer7_info*) match->data; -+ -+ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol); -+} -+ -+static struct iptables_match layer7 = { -+ .name = "layer7", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)), -+ .help = &help, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+void _init(void) -+{ -+ register_match(&layer7); -+} -Index: iptables-1.3.8/extensions/libipt_layer7.man -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/libipt_layer7.man 2007-07-31 15:27:56.000000000 -0500 -@@ -0,0 +1,13 @@ -+This module matches packets based on the application layer data of -+their connections. It uses regular expression matching to compare -+the application layer data to regular expressions found it the layer7 -+configuration files. This is an experimental module which can be found at -+http://l7-filter.sf.net. It takes two options. -+.TP -+.BI "--l7proto " "\fIprotocol\fP" -+Match the specified protocol. The protocol name must match a file -+name in /etc/l7-protocols/ -+.TP -+.BI "--l7dir " "\fIdirectory\fP" -+Use \fIdirectory\fP instead of /etc/l7-protocols/ -+ diff --git a/package/iptables/patches/004-multiport_v1.patch b/package/iptables/patches/004-multiport_v1.patch deleted file mode 100644 index 1acfe24848..0000000000 --- a/package/iptables/patches/004-multiport_v1.patch +++ /dev/null @@ -1,222 +0,0 @@ -Index: iptables-1.3.8/extensions/libipt_multiport.c -=================================================================== ---- iptables-1.3.8.orig/extensions/libipt_multiport.c 2007-07-31 15:27:55.000000000 -0500 -+++ iptables-1.3.8/extensions/libipt_multiport.c 2007-07-31 15:27:56.000000000 -0500 -@@ -8,24 +8,6 @@ - /* To ensure that iptables compiles with an old kernel */ - #include "../include/linux/netfilter_ipv4/ipt_multiport.h" - --/* Function which prints out usage message. */ --static void --help(void) --{ -- printf( --"multiport v%s options:\n" --" --source-ports port[,port,port...]\n" --" --sports ...\n" --" match source port(s)\n" --" --destination-ports port[,port,port...]\n" --" --dports ...\n" --" match destination port(s)\n" --" --ports port[,port,port]\n" --" match both source and destination port(s)\n" --" NOTE: this kernel does not support port ranges in multiport.\n", --IPTABLES_VERSION); --} -- - static void - help_v1(void) - { -@@ -70,26 +52,6 @@ - } - } - --static unsigned int --parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) --{ -- char *buffer, *cp, *next; -- unsigned int i; -- -- buffer = strdup(portstring); -- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); -- -- for (cp=buffer, i=0; cp && idata; -- -- switch (c) { -- case '1': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(entry); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = IPT_MULTIPORT_SOURCE; -- break; -- -- case '2': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(entry); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = IPT_MULTIPORT_DESTINATION; -- break; -- -- case '3': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(entry); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = IPT_MULTIPORT_EITHER; -- break; -- -- default: -- return 0; -- } -- -- if (invert) -- exit_error(PARAMETER_PROBLEM, -- "multiport does not support invert"); -- -- if (*flags) -- exit_error(PARAMETER_PROBLEM, -- "multiport can only have one option"); -- *flags = 1; -- return 1; --} -- - static int - parse_v1(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, -@@ -284,43 +194,6 @@ - printf("%s", service); - } - --/* Prints out the matchinfo. */ --static void --print(const struct ipt_ip *ip, -- const struct ipt_entry_match *match, -- int numeric) --{ -- const struct ipt_multiport *multiinfo -- = (const struct ipt_multiport *)match->data; -- unsigned int i; -- -- printf("multiport "); -- -- switch (multiinfo->flags) { -- case IPT_MULTIPORT_SOURCE: -- printf("sports "); -- break; -- -- case IPT_MULTIPORT_DESTINATION: -- printf("dports "); -- break; -- -- case IPT_MULTIPORT_EITHER: -- printf("ports "); -- break; -- -- default: -- printf("ERROR "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], ip->proto, numeric); -- } -- printf(" "); --} -- - static void - print_v1(const struct ipt_ip *ip, - const struct ipt_entry_match *match, -@@ -364,34 +237,6 @@ - printf(" "); - } - --/* Saves the union ipt_matchinfo in parsable form to stdout. */ --static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) --{ -- const struct ipt_multiport *multiinfo -- = (const struct ipt_multiport *)match->data; -- unsigned int i; -- -- switch (multiinfo->flags) { -- case IPT_MULTIPORT_SOURCE: -- printf("--sports "); -- break; -- -- case IPT_MULTIPORT_DESTINATION: -- printf("--dports "); -- break; -- -- case IPT_MULTIPORT_EITHER: -- printf("--ports "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], ip->proto, 1); -- } -- printf(" "); --} -- - static void save_v1(const struct ipt_ip *ip, - const struct ipt_entry_match *match) - { -@@ -427,19 +272,20 @@ - printf(" "); - } - -+ - static struct iptables_match multiport = { - .next = NULL, - .name = "multiport", -- .revision = 0, - .version = IPTABLES_VERSION, -- .size = IPT_ALIGN(sizeof(struct ipt_multiport)), -- .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport)), -- .help = &help, -+ .revision = 0, -+ .size = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), -+ .help = &help_v1, - .init = &init, -- .parse = &parse, -+ .parse = &parse_v1, - .final_check = &final_check, -- .print = &print, -- .save = &save, -+ .print = &print_v1, -+ .save = &save_v1, - .extra_opts = opts - }; - diff --git a/package/iptables/patches/005-imq1.patch b/package/iptables/patches/005-imq1.patch deleted file mode 100644 index a3741959cf..0000000000 --- a/package/iptables/patches/005-imq1.patch +++ /dev/null @@ -1,228 +0,0 @@ -Index: iptables-1.3.8/extensions/.IMQ-test6 -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/.IMQ-test6 2007-07-31 15:27:56.000000000 -0500 -@@ -0,0 +1,3 @@ -+#!/bin/sh -+# True if IMQ target patch is applied. -+[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_IMQ.c ] && echo IMQ -Index: iptables-1.3.8/extensions/libip6t_IMQ.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/libip6t_IMQ.c 2007-07-31 15:27:56.000000000 -0500 -@@ -0,0 +1,101 @@ -+/* Shared library add-on to iptables to add IMQ target support. */ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+/* Function which prints out usage message. */ -+static void -+help(void) -+{ -+ printf( -+"IMQ target v%s options:\n" -+" --todev enqueue to imq, defaults to 0\n", -+IPTABLES_VERSION); -+} -+ -+static struct option opts[] = { -+ { "todev", 1, 0, '1' }, -+ { 0 } -+}; -+ -+/* Initialize the target. */ -+static void -+init(struct ip6t_entry_target *t, unsigned int *nfcache) -+{ -+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data; -+ -+ mr->todev = 0; -+ *nfcache |= NFC_UNKNOWN; -+} -+ -+/* Function which parses command options; returns true if it -+ ate an option */ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ip6t_entry *entry, -+ struct ip6t_entry_target **target) -+{ -+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data; -+ -+ switch(c) { -+ case '1': -+ if (check_inverse(optarg, &invert, NULL, 0)) -+ exit_error(PARAMETER_PROBLEM, -+ "Unexpected `!' after --todev"); -+ mr->todev=atoi(optarg); -+ break; -+ default: -+ return 0; -+ } -+ return 1; -+} -+ -+static void -+final_check(unsigned int flags) -+{ -+} -+ -+/* Prints out the targinfo. */ -+static void -+print(const struct ip6t_ip6 *ip, -+ const struct ip6t_entry_target *target, -+ int numeric) -+{ -+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; -+ -+ printf("IMQ: todev %u ", mr->todev); -+} -+ -+/* Saves the union ipt_targinfo in parsable form to stdout. */ -+static void -+save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -+{ -+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; -+ -+ printf("--todev %u", mr->todev); -+} -+ -+static struct ip6tables_target imq = { -+ .next = NULL, -+ .name = "IMQ", -+ .version = IPTABLES_VERSION, -+ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), -+ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+static __attribute__((constructor)) void _init(void) -+{ -+ register_target6(&imq); -+} -Index: iptables-1.3.8/extensions/.IMQ-test -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/.IMQ-test 2007-07-31 15:27:56.000000000 -0500 -@@ -0,0 +1,3 @@ -+#!/bin/sh -+# True if IMQ target patch is applied. -+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IMQ.c ] && echo IMQ -Index: iptables-1.3.8/extensions/libipt_IMQ.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/libipt_IMQ.c 2007-07-31 15:27:56.000000000 -0500 -@@ -0,0 +1,101 @@ -+/* Shared library add-on to iptables to add IMQ target support. */ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+/* Function which prints out usage message. */ -+static void -+help(void) -+{ -+ printf( -+"IMQ target v%s options:\n" -+" --todev enqueue to imq, defaults to 0\n", -+IPTABLES_VERSION); -+} -+ -+static struct option opts[] = { -+ { "todev", 1, 0, '1' }, -+ { 0 } -+}; -+ -+/* Initialize the target. */ -+static void -+init(struct ipt_entry_target *t, unsigned int *nfcache) -+{ -+ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data; -+ -+ mr->todev = 0; -+ *nfcache |= NFC_UNKNOWN; -+} -+ -+/* Function which parses command options; returns true if it -+ ate an option */ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, -+ struct ipt_entry_target **target) -+{ -+ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data; -+ -+ switch(c) { -+ case '1': -+ if (check_inverse(optarg, &invert, NULL, 0)) -+ exit_error(PARAMETER_PROBLEM, -+ "Unexpected `!' after --todev"); -+ mr->todev=atoi(optarg); -+ break; -+ default: -+ return 0; -+ } -+ return 1; -+} -+ -+static void -+final_check(unsigned int flags) -+{ -+} -+ -+/* Prints out the targinfo. */ -+static void -+print(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target, -+ int numeric) -+{ -+ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; -+ -+ printf("IMQ: todev %u ", mr->todev); -+} -+ -+/* Saves the union ipt_targinfo in parsable form to stdout. */ -+static void -+save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -+{ -+ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; -+ -+ printf("--todev %u", mr->todev); -+} -+ -+static struct iptables_target imq = { -+ .next = NULL, -+ .name = "IMQ", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+static __attribute__((constructor)) void _init(void) -+{ -+ register_target(&imq); -+} diff --git a/package/iptables/patches/008-chaostables.patch b/package/iptables/patches/008-chaostables.patch deleted file mode 100644 index 60b077942a..0000000000 --- a/package/iptables/patches/008-chaostables.patch +++ /dev/null @@ -1,342 +0,0 @@ -Index: iptables-1.3.8/extensions/.CHAOS-test -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/.CHAOS-test 2007-07-31 15:27:57.000000000 -0500 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"; -Index: iptables-1.3.8/extensions/.DELUDE-test -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/.DELUDE-test 2007-07-31 15:27:57.000000000 -0500 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+echo "DELUDE"; -Index: iptables-1.3.8/extensions/libipt_CHAOS.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/libipt_CHAOS.c 2007-07-31 15:27:57.000000000 -0500 -@@ -0,0 +1,111 @@ -+/* -+ CHAOS target for iptables -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ released under the terms of the GNU General Public -+ License version 2.x and only versions 2.x. -+*/ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+static void libipt_chaos_help(void) -+{ -+ printf( -+ "CHAOS target v%s options:\n" -+ " --delude Enable DELUDE processing for TCP\n" -+ " --tarpit Enable TARPIT processing for TCP\n", -+ IPTABLES_VERSION); -+ return; -+} -+ -+static int libipt_chaos_parse(int c, char **argv, int invert, -+ unsigned int *flags, const struct ipt_entry *entry, -+ struct ipt_entry_target **target) -+{ -+ struct xt_chaos_info *info = (void *)((*target)->data); -+ switch(c) { -+ case 'd': -+ info->variant = XTCHAOS_DELUDE; -+ *flags |= 0x02; -+ return 1; -+ case 't': -+ info->variant = XTCHAOS_TARPIT; -+ *flags |= 0x01; -+ return 1; -+ } -+ return 0; -+} -+ -+static void libipt_chaos_check(unsigned int flags) -+{ -+ if(flags != 0x03) -+ return; -+ /* If flags == 0x03, both were specified, which should not be. */ -+ exit_error(PARAMETER_PROBLEM, -+ "CHAOS: only one of --tarpit or --delude may be specified"); -+ return; -+} -+ -+static void libipt_chaos_print(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target, int numeric) -+{ -+ const struct xt_chaos_info *info = (const void *)target->data; -+ switch(info->variant) { -+ case XTCHAOS_DELUDE: -+ printf("DELUDE "); -+ break; -+ case XTCHAOS_TARPIT: -+ printf("TARPIT "); -+ break; -+ default: -+ break; -+ } -+ return; -+} -+ -+static void libipt_chaos_save(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target) -+{ -+ const struct xt_chaos_info *info = (const void *)target->data; -+ switch(info->variant) { -+ case XTCHAOS_DELUDE: -+ printf("--delude "); -+ break; -+ case XTCHAOS_TARPIT: -+ printf("--tarpit "); -+ break; -+ default: -+ break; -+ } -+ return; -+} -+ -+static struct option libipt_chaos_opts[] = { -+ {"delude", 0, NULL, 'd'}, -+ {"tarpit", 0, NULL, 't'}, -+ {NULL}, -+}; -+ -+static struct iptables_target libipt_chaos_info = { -+ .name = "CHAOS", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct xt_chaos_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)), -+ .help = libipt_chaos_help, -+ .parse = libipt_chaos_parse, -+ .final_check = libipt_chaos_check, -+ .print = libipt_chaos_print, -+ .save = libipt_chaos_save, -+ .extra_opts = libipt_chaos_opts, -+}; -+ -+static __attribute__((constructor)) void libipt_chaos_init(void) -+{ -+ register_target(&libipt_chaos_info); -+ return; -+} -Index: iptables-1.3.8/extensions/libipt_DELUDE.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/libipt_DELUDE.c 2007-07-31 15:27:57.000000000 -0500 -@@ -0,0 +1,66 @@ -+/* -+ DELUDE target for iptables -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ released under the terms of the GNU General Public -+ License version 2.x and only versions 2.x. -+*/ -+#include -+#include -+#include -+ -+#include -+#include -+ -+static void libipt_delude_help(void) -+{ -+ printf("DELUDE takes no options\n"); -+ return; -+} -+ -+static int libipt_delude_parse(int c, char **argv, int invert, -+ unsigned int *flags, const struct ipt_entry *entry, -+ struct ipt_entry_target **target) -+{ -+ return 0; -+} -+ -+static void libipt_delude_check(unsigned int flags) -+{ -+ return; -+} -+ -+static void libipt_delude_print(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target, int numeric) -+{ -+ return; -+} -+ -+static void libipt_delude_save(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target) -+{ -+ return; -+} -+ -+static struct option libipt_delude_opts[] = { -+ {NULL}, -+}; -+ -+static struct iptables_target libipt_delude_info = { -+ .name = "DELUDE", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(0), -+ .userspacesize = IPT_ALIGN(0), -+ .help = libipt_delude_help, -+ .parse = libipt_delude_parse, -+ .final_check = libipt_delude_check, -+ .print = libipt_delude_print, -+ .save = libipt_delude_save, -+ .extra_opts = libipt_delude_opts, -+}; -+ -+static __attribute__((constructor)) void libipt_delude_init(void) -+{ -+ register_target(&libipt_delude_info); -+ return; -+} -Index: iptables-1.3.8/extensions/libipt_portscan.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/libipt_portscan.c 2007-07-31 15:27:57.000000000 -0500 -@@ -0,0 +1,129 @@ -+/* -+ portscan match for iptables -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ released under the terms of the GNU General Public -+ License version 2.x and only versions 2.x. -+*/ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+static void libipt_portscan_help(void) -+{ -+ printf( -+ "portscan match v%s options:\n" -+ "(Combining them will make them match by OR-logic)\n" -+ " --stealth Match TCP Stealth packets\n" -+ " --synscan Match TCP SYN scans\n" -+ " --cnscan Match TCP Connect scans\n" -+ " --grscan Match Banner Grabbing scans\n", -+ IPTABLES_VERSION); -+ return; -+} -+ -+static void libipt_portscan_mtinit(struct ipt_entry_match *match, -+ unsigned int *nfcache) -+{ -+ /* Cannot cache this */ -+ *nfcache |= NFC_UNKNOWN; -+ return; -+} -+ -+static int libipt_portscan_parse(int c, char **argv, int invert, -+ unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc, -+ struct ipt_entry_match **match) -+{ -+ struct xt_portscan_info *info = (void *)((*match)->data); -+ -+ switch(c) { -+ case 'c': -+ info->match_cn = 1; -+ return 1; -+ case 'g': -+ info->match_gr = 1; -+ return 1; -+ case 's': -+ info->match_syn = 1; -+ return 1; -+ case 'x': -+ info->match_stealth = 1; -+ return 1; -+ default: -+ return 0; -+ } -+} -+ -+static void libipt_portscan_check(unsigned int flags) -+{ -+ return; -+} -+ -+static void libipt_portscan_print(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match, int numeric) -+{ -+ const struct xt_portscan_info *info = (const void *)(match->data); -+ const char *s = ""; -+ -+ printf("portscan "); -+ if(info->match_stealth) { -+ printf("STEALTH"); -+ s = ","; -+ } -+ if(info->match_syn) { -+ printf("%sSYNSCAN", s); -+ s = ","; -+ } -+ if(info->match_cn) { -+ printf("%sCNSCAN", s); -+ s = ","; -+ } -+ if(info->match_gr) -+ printf("%sGRSCAN", s); -+ printf(" "); -+ return; -+} -+ -+static void libipt_portscan_save(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match) -+{ -+ const struct xt_portscan_info *info = (const void *)(match->data); -+ if(info->match_stealth) printf("--stealth "); -+ if(info->match_syn) printf("--synscan "); -+ if(info->match_cn) printf("--cnscan "); -+ if(info->match_gr) printf("--grscan "); -+ return; -+} -+ -+static struct option libipt_portscan_opts[] = { -+ {"stealth", 0, NULL, 'x'}, -+ {"synscan", 0, NULL, 's'}, -+ {"cnscan", 0, NULL, 'c'}, -+ {"grscan", 0, NULL, 'g'}, -+ {NULL}, -+}; -+ -+static struct iptables_match libipt_portscan_info = { -+ .name = "portscan", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct xt_portscan_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)), -+ .help = libipt_portscan_help, -+ .init = libipt_portscan_mtinit, -+ .parse = libipt_portscan_parse, -+ .final_check = libipt_portscan_check, -+ .print = libipt_portscan_print, -+ .save = libipt_portscan_save, -+ .extra_opts = libipt_portscan_opts, -+}; -+ -+static __attribute__((constructor)) void libipt_portscan_init(void) -+{ -+ register_match(&libipt_portscan_info); -+ return; -+} -Index: iptables-1.3.8/extensions/.portscan-test -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ iptables-1.3.8/extensions/.portscan-test 2007-07-31 15:27:57.000000000 -0500 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan"; diff --git a/package/iptables/patches/009-tarpit-support.patch b/package/iptables/patches/009-tarpit-support.patch deleted file mode 100644 index 3105379877..0000000000 --- a/package/iptables/patches/009-tarpit-support.patch +++ /dev/null @@ -1,106 +0,0 @@ -diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.c iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c ---- iptables-1.3.8-20070817/extensions/libipt_TARPIT.c 1969-12-31 19:00:00.000000000 -0500 -+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c 2007-08-18 14:49:25.000000000 -0400 -@@ -0,0 +1,58 @@ -+/* Shared library add-on to iptables for TARPIT support */ -+#include -+#include -+#include -+ -+static void -+help(void) -+{ -+ fputs( -+"TARPIT takes no options\n" -+"\n", stdout); -+} -+ -+static struct option opts[] = { -+ { 0 } -+}; -+ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, -+ struct ipt_entry_target **target) -+{ -+ return 0; -+} -+ -+static void final_check(unsigned int flags) -+{ -+} -+ -+static void -+print(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target, -+ int numeric) -+{ -+} -+ -+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -+{ -+} -+ -+static struct iptables_target tarpit = { -+ .next = NULL, -+ .name = "TARPIT", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(0), -+ .userspacesize = IPT_ALIGN(0), -+ .help = &help, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+void _init(void) -+{ -+ register_target(&tarpit); -+} -diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.man iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man ---- iptables-1.3.8-20070817/extensions/libipt_TARPIT.man 1969-12-31 19:00:00.000000000 -0500 -+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man 2007-08-18 14:49:25.000000000 -0400 -@@ -0,0 +1,34 @@ -+Captures and holds incoming TCP connections using no local -+per-connection resources. Connections are accepted, but immediately -+switched to the persist state (0 byte window), in which the remote -+side stops sending data and asks to continue every 60-240 seconds. -+Attempts to close the connection are ignored, forcing the remote side -+to time out the connection in 12-24 minutes. -+ -+This offers similar functionality to LaBrea -+ but doesn't require dedicated -+hardware or IPs. Any TCP port that you would normally DROP or REJECT -+can instead become a tarpit. -+ -+To tarpit connections to TCP port 80 destined for the current machine: -+.IP -+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT -+.P -+To significantly slow down Code Red/Nimda-style scans of unused address -+space, forward unused ip addresses to a Linux box not acting as a router -+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP -+forwarding on the Linux box, and add: -+.IP -+iptables -A FORWARD -p tcp -j TARPIT -+.IP -+iptables -A FORWARD -j DROP -+.TP -+NOTE: -+If you use the conntrack module while you are using TARPIT, you should -+also use the NOTRACK target, or the kernel will unnecessarily allocate -+resources for each TARPITted connection. To TARPIT incoming -+connections to the standard IRC port while using conntrack, you could: -+.IP -+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK -+.IP -+iptables -A INPUT -p tcp --dport 6667 -j TARPIT -diff -N -u -r iptables-1.3.8-20070817/extensions/.TARPIT-test iptables-1.3.8-20070817-nf/extensions/.TARPIT-test ---- iptables-1.3.8-20070817/extensions/.TARPIT-test 1969-12-31 19:00:00.000000000 -0500 -+++ iptables-1.3.8-20070817-nf/extensions/.TARPIT-test 2007-08-18 14:49:25.000000000 -0400 -@@ -0,0 +1,2 @@ -+#! /bin/sh -+[ -f $KERNEL_DIR/net/netfilter/xt_TARPIT.c ] && echo TARPIT diff --git a/package/iptables/patches/1.3.8/001-ipp2p_0.8.1rc1.patch b/package/iptables/patches/1.3.8/001-ipp2p_0.8.1rc1.patch new file mode 100644 index 0000000000..e8c82c2155 --- /dev/null +++ b/package/iptables/patches/1.3.8/001-ipp2p_0.8.1rc1.patch @@ -0,0 +1,457 @@ +Index: iptables-1.3.8/extensions/Makefile +=================================================================== +--- iptables-1.3.8.orig/extensions/Makefile ++++ iptables-1.3.8/extensions/Makefile +@@ -13,6 +13,10 @@ PF_EXT_SE_SLIB:=SECMARK CONNSECMARK + PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK + endif + ++ ++# ipp2p ++PF_EXT_SLIB += ipp2p ++ + # Optionals + PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) + PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) +Index: iptables-1.3.8/extensions/libipt_ipp2p.c +=================================================================== +--- /dev/null ++++ iptables-1.3.8/extensions/libipt_ipp2p.c +@@ -0,0 +1,401 @@ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++static void ++help(void) ++{ ++ printf( ++ "IPP2P v%s options:\n" ++ " --ipp2p Grab all known p2p packets\n" ++ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n" ++ " --dc [TCP] All known Direct Connect packets\n" ++ " --kazaa [TCP&UDP] All known KaZaA packets\n" ++ " --gnu [TCP&UDP] All known Gnutella packets\n" ++ " --bit [TCP&UDP] All known BitTorrent packets\n" ++ " --apple [TCP] All known AppleJuice packets\n" ++ " --winmx [TCP] All known WinMX\n" ++ " --soul [TCP] All known SoulSeek\n" ++ " --ares [TCP] All known Ares\n\n" ++ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n" ++ " --mute [TCP] All known Mute packets\n" ++ " --waste [TCP] All known Waste packets\n" ++ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n" ++ " DEBUG SUPPPORT, use only if you know why\n" ++ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n" ++ "\nNote that the follwing options will have the same meaning:\n" ++ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n" ++ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" ++ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" ++ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" ++ "\nExamples:\n" ++ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" ++ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" ++ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" ++ , IPP2P_VERSION); ++} ++ ++static struct option opts[] = { ++ { "ipp2p", 0, 0, '1' }, ++ { "edk", 0, 0, '2' }, ++ { "dc", 0, 0, '7' }, ++ { "gnu", 0, 0, '9' }, ++ { "kazaa", 0, 0, 'a' }, ++ { "bit", 0, 0, 'b' }, ++ { "apple", 0, 0, 'c' }, ++ { "soul", 0, 0, 'd' }, ++ { "winmx", 0, 0, 'e' }, ++ { "ares", 0, 0, 'f' }, ++ { "mute", 0, 0, 'g' }, ++ { "waste", 0, 0, 'h' }, ++ { "xdcc", 0, 0, 'i' }, ++ { "debug", 0, 0, 'j' }, ++ {0} ++}; ++ ++ ++ ++static void ++init(struct ipt_entry_match *m, unsigned int *nfcache) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; ++ ++ *nfcache |= NFC_UNKNOWN; ++ ++ /*init the module with default values*/ ++ info->cmd = 0; ++ info->debug = 0; ++ ++} ++ ++ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, ++ unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': /*cmd: ipp2p*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags) != 0) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += SHORT_HAND_IPP2P; ++ info->cmd = *flags; ++ break; ++ ++ case '2': /*cmd: edk*/ ++ if ((*flags & IPP2P_EDK) == IPP2P_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--edk' may only be " ++ "specified once"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_EDK; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '7': /*cmd: dc*/ ++ if ((*flags & IPP2P_DC) == IPP2P_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--dc' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DC; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '9': /*cmd: gnu*/ ++ if ((*flags & IPP2P_GNU) == IPP2P_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--gnu' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_GNU; ++ info->cmd = *flags; ++ break; ++ ++ case 'a': /*cmd: kazaa*/ ++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--kazaa' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_KAZAA; ++ info->cmd = *flags; ++ break; ++ ++ case 'b': /*cmd: bit*/ ++ if ((*flags & IPP2P_BIT) == IPP2P_BIT) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--bit' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_BIT; ++ info->cmd = *flags; ++ break; ++ ++ case 'c': /*cmd: apple*/ ++ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--apple' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_APPLE; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'd': /*cmd: soul*/ ++ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--soul' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_SOUL; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'e': /*cmd: winmx*/ ++ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--winmx' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WINMX; ++ info->cmd = *flags; ++ break; ++ ++ case 'f': /*cmd: ares*/ ++ if ((*flags & IPP2P_ARES) == IPP2P_ARES) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_ARES; ++ info->cmd = *flags; ++ break; ++ ++ case 'g': /*cmd: mute*/ ++ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--mute' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_MUTE; ++ info->cmd = *flags; ++ break; ++ case 'h': /*cmd: waste*/ ++ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--waste' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WASTE; ++ info->cmd = *flags; ++ break; ++ case 'i': /*cmd: xdcc*/ ++ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_XDCC; ++ info->cmd = *flags; ++ break; ++ ++ case 'j': /*cmd: debug*/ ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ info->debug = 1; ++ break; ++ ++ default: ++// exit_error(PARAMETER_PROBLEM, ++// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++ return 0; ++ } ++ return 1; ++} ++ ++ ++static void ++final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++} ++ ++ ++ ++static void ++print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++ int numeric) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ printf("ipp2p v%s", IPP2P_VERSION); ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p"); ++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data"); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa"); ++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data"); ++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data"); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu"); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk"); ++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data"); ++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data"); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc"); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit"); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple"); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul"); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx"); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares"); ++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); ++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); ++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); ++ if (info->debug != 0) printf(" --debug"); ++ printf(" "); ++} ++ ++ ++ ++static void ++save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p "); ++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data "); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa "); ++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data "); ++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data "); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu "); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk "); ++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data "); ++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data "); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc "); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit "); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple "); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul "); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx "); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares "); ++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); ++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); ++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); ++ if (info->debug != 0) printf("--debug "); ++} ++ ++ ++ ++ ++static ++struct iptables_match ipp2p= ++{ ++ .next = NULL, ++ .name = "ipp2p", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++ ++ ++void _init(void) ++{ ++ register_match(&ipp2p); ++} ++ +Index: iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h +=================================================================== +--- /dev/null ++++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h +@@ -0,0 +1,31 @@ ++#ifndef __IPT_IPP2P_H ++#define __IPT_IPP2P_H ++#define IPP2P_VERSION "0.8.1_rc1" ++ ++struct ipt_p2p_info { ++ int cmd; ++ int debug; ++}; ++ ++#endif //__IPT_IPP2P_H ++ ++#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ ++//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ ++#define SHORT_HAND_NONE 5 /* no short hand*/ ++ ++#define IPP2P_EDK (1 << 1) ++#define IPP2P_DATA_KAZAA (1 << 2) ++#define IPP2P_DATA_EDK (1 << 3) ++#define IPP2P_DATA_DC (1 << 4) ++#define IPP2P_DC (1 << 5) ++#define IPP2P_DATA_GNU (1 << 6) ++#define IPP2P_GNU (1 << 7) ++#define IPP2P_KAZAA (1 << 8) ++#define IPP2P_BIT (1 << 9) ++#define IPP2P_APPLE (1 << 10) ++#define IPP2P_SOUL (1 << 11) ++#define IPP2P_WINMX (1 << 12) ++#define IPP2P_ARES (1 << 13) ++#define IPP2P_MUTE (1 << 14) ++#define IPP2P_WASTE (1 << 15) ++#define IPP2P_XDCC (1 << 16) diff --git a/package/iptables/patches/1.3.8/002-layer7_2.17.patch b/package/iptables/patches/1.3.8/002-layer7_2.17.patch new file mode 100644 index 0000000000..68da741e00 --- /dev/null +++ b/package/iptables/patches/1.3.8/002-layer7_2.17.patch @@ -0,0 +1,425 @@ +Index: iptables-1.3.8/extensions/.layer7-test +=================================================================== +--- /dev/null ++++ iptables-1.3.8/extensions/.layer7-test +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7 +Index: iptables-1.3.8/extensions/libipt_layer7.c +=================================================================== +--- /dev/null ++++ iptables-1.3.8/extensions/libipt_layer7.c +@@ -0,0 +1,394 @@ ++/* ++ Shared library add-on to iptables to add layer 7 matching support. ++ ++ By Matthew Strait , Oct 2003. ++ ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++ ++ Based on libipt_string.c (C) 2000 Emmanuel Roger ++*/ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#define MAX_FN_LEN 256 ++ ++static char l7dir[MAX_FN_LEN] = "\0"; ++ ++/* Function which prints out usage message. */ ++static void help(void) ++{ ++ printf( ++ "LAYER7 match v%s options:\n" ++ "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" ++ " (--l7dir must be specified before --l7proto if used!)\n" ++ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n", ++ IPTABLES_VERSION); ++ fputc('\n', stdout); ++} ++ ++static struct option opts[] = { ++ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, ++ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, ++ { .name = 0 } ++}; ++ ++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ ++int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info) ++{ ++ FILE * f; ++ char * line = NULL; ++ size_t len = 0; ++ ++ enum { protocol, pattern, done } datatype = protocol; ++ ++ f = fopen(filename, "r"); ++ ++ if(!f) ++ return 0; ++ ++ while(getline(&line, &len, f) != -1) ++ { ++ if(strlen(line) < 2 || line[0] == '#') ++ continue; ++ ++ /* strip the pesky newline... */ ++ if(line[strlen(line) - 1] == '\n') ++ line[strlen(line) - 1] = '\0'; ++ ++ if(datatype == protocol) ++ { ++ /* Ignore everything on the line beginning with the ++ first space or tab . For instance, this allows the ++ protocol line in http.pat to be "http " (or ++ "http I am so cool") instead of just "http". */ ++ if(strchr(line, ' ')){ ++ char * space = strchr(line, ' '); ++ space[0] = '\0'; ++ } ++ if(strchr(line, '\t')){ ++ char * space = strchr(line, '\t'); ++ space[0] = '\0'; ++ } ++ ++ /* sanity check. First non-comment non-blank ++ line must be the same as the file name. */ ++ if(strcmp(line, protoname)) ++ exit_error(OTHER_PROBLEM, ++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", ++ line, filename); ++ ++ if(strlen(line) >= MAX_PROTOCOL_LEN) ++ exit_error(PARAMETER_PROBLEM, ++ "Protocol name in %s too long!", filename); ++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); ++ ++ datatype = pattern; ++ } ++ else if(datatype == pattern) ++ { ++ if(strlen(line) >= MAX_PATTERN_LEN) ++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); ++ strncpy(info->pattern, line, MAX_PATTERN_LEN); ++ ++ datatype = done; ++ break; ++ } ++ else ++ exit_error(OTHER_PROBLEM, "Internal error"); ++ } ++ ++ if(datatype != done) ++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); ++ ++ if(line) free(line); ++ fclose(f); ++ ++ return 1; ++ ++/* ++ fprintf(stderr, "protocol: %s\npattern: %s\n\n", ++ info->protocol, ++ info->pattern); ++*/ ++} ++ ++static int hex2dec(char c) ++{ ++ switch (c) ++ { ++ case '0' ... '9': ++ return c - '0'; ++ case 'a' ... 'f': ++ return c - 'a' + 10; ++ case 'A' ... 'F': ++ return c - 'A' + 10; ++ default: ++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); ++ return 0; ++ } ++} ++ ++/* takes a string with \xHH escapes and returns one with the characters ++they stand for */ ++static char * pre_process(char * s) ++{ ++ char * result = malloc(strlen(s) + 1); ++ int sindex = 0, rindex = 0; ++ while( sindex < strlen(s) ) ++ { ++ if( sindex + 3 < strlen(s) && ++ s[sindex] == '\\' && s[sindex+1] == 'x' && ++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) ++ { ++ /* carefully remember to call tolower here... */ ++ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + ++ hex2dec(s[sindex + 3] ) ); ++ ++ switch ( result[rindex] ) ++ { ++ case 0x24: ++ case 0x28: ++ case 0x29: ++ case 0x2a: ++ case 0x2b: ++ case 0x2e: ++ case 0x3f: ++ case 0x5b: ++ case 0x5c: ++ case 0x5d: ++ case 0x5e: ++ case 0x7c: ++ fprintf(stderr, ++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n" ++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n", ++ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]); ++ break; ++ case 0x00: ++ fprintf(stderr, ++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n"); ++ break; ++ default: ++ break; ++ } ++ ++ ++ sindex += 3; /* 4 total */ ++ } ++ else ++ result[rindex] = tolower(s[sindex]); ++ ++ sindex++; ++ rindex++; ++ } ++ result[rindex] = '\0'; ++ ++ return result; ++} ++ ++#define MAX_SUBDIRS 128 ++char ** readl7dir(char * dirname) ++{ ++ DIR * scratchdir; ++ struct dirent ** namelist; ++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); ++ ++ int n, d = 1; ++ subdirs[0] = ""; ++ ++ n = scandir(dirname, &namelist, 0, alphasort); ++ ++ if (n < 0) ++ { ++ perror("scandir"); ++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); ++ } ++ else ++ { ++ while(n--) ++ { ++ char fulldirname[MAX_FN_LEN]; ++ ++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); ++ ++ if((scratchdir = opendir(fulldirname)) != NULL) ++ { ++ closedir(scratchdir); ++ ++ if(!strcmp(namelist[n]->d_name, ".") || ++ !strcmp(namelist[n]->d_name, "..")) ++ /* do nothing */ ; ++ else ++ { ++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); ++ strcpy(subdirs[d], namelist[n]->d_name); ++ d++; ++ if(d >= MAX_SUBDIRS - 1) ++ { ++ fprintf(stderr, ++ "Too many subdirectories, skipping the rest!\n"); ++ break; ++ } ++ } ++ } ++ free(namelist[n]); ++ } ++ free(namelist); ++ } ++ ++ subdirs[d] = NULL; ++ ++ return subdirs; ++} ++ ++static void ++parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info) ++{ ++ char filename[MAX_FN_LEN]; ++ char * dir = NULL; ++ char ** subdirs; ++ int n = 0, done = 0; ++ ++ if(strlen(l7dir) > 0) ++ dir = l7dir; ++ else ++ dir = "/etc/l7-protocols"; ++ ++ subdirs = readl7dir(dir); ++ ++ while(subdirs[n] != NULL) ++ { ++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); ++ ++ //fprintf(stderr, "Trying to find pattern in %s ... ", filename); ++ ++ if(c > MAX_FN_LEN) ++ { ++ exit_error(OTHER_PROBLEM, ++ "Filename beginning with %s is too long!\n", filename); ++ } ++ ++ /* read in the pattern from the file */ ++ if(parse_protocol_file(filename, s, info)) ++ { ++ //fprintf(stderr, "found\n"); ++ done = 1; ++ break; ++ } ++ ++ //fprintf(stderr, "not found\n"); ++ ++ n++; ++ } ++ ++ if(!done) ++ exit_error(OTHER_PROBLEM, ++ "Couldn't find a pattern definition file for %s.\n", s); ++ ++ /* process \xHH escapes and tolower everything. (our regex lib has no ++ case insensitivity option.) */ ++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); ++} ++ ++/* Function which parses command options; returns true if it ate an option */ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ struct ipt_layer7_info *layer7info = ++ (struct ipt_layer7_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': ++ check_inverse(optarg, &invert, &optind, 0); ++ parse_layer7_protocol(argv[optind-1], layer7info); ++ if (invert) ++ layer7info->invert = 1; ++ *flags = 1; ++ break; ++ ++ case '2': ++ /* not going to use this, but maybe we need to strip a ! anyway (?) */ ++ check_inverse(optarg, &invert, &optind, 0); ++ ++ if(strlen(argv[optind-1]) >= MAX_FN_LEN) ++ exit_error(PARAMETER_PROBLEM, "directory name too long\n"); ++ ++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); ++ ++ *flags = 1; ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* Final check; must have specified --l7proto */ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "LAYER7 match: You must specify `--l7proto'"); ++} ++ ++static void print_protocol(char s[], int invert, int numeric) ++{ ++ fputs("l7proto ", stdout); ++ if (invert) fputc('!', stdout); ++ printf("%s ", s); ++} ++ ++/* Prints out the matchinfo. */ ++static void print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++ int numeric) ++{ ++ printf("LAYER7 "); ++ ++ print_protocol(((struct ipt_layer7_info *)match->data)->protocol, ++ ((struct ipt_layer7_info *)match->data)->invert, numeric); ++} ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ++{ ++ const struct ipt_layer7_info *info = ++ (const struct ipt_layer7_info*) match->data; ++ ++ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol); ++} ++ ++static struct iptables_match layer7 = { ++ .name = "layer7", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)), ++ .help = &help, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_match(&layer7); ++} +Index: iptables-1.3.8/extensions/libipt_layer7.man +=================================================================== +--- /dev/null ++++ iptables-1.3.8/extensions/libipt_layer7.man +@@ -0,0 +1,14 @@ ++This module matches packets based on the application layer data of ++their connections. It uses regular expression matching to compare ++the application layer data to regular expressions found it the layer7 ++configuration files. This is an experimental module which can be found at ++http://l7-filter.sf.net. It takes two options. ++.TP ++.BI "--l7proto " "\fIprotocol\fP" ++Match the specified protocol. The protocol name must match a file ++name in /etc/l7-protocols/ or one of its first-level child directories. ++.TP ++.BI "--l7dir " "\fIdirectory\fP" ++Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be ++specified before --l7proto. ++ diff --git a/package/iptables/patches/1.3.8/003-layer7_2.17_pktmatch.patch b/package/iptables/patches/1.3.8/003-layer7_2.17_pktmatch.patch new file mode 100644 index 0000000000..c88f759630 --- /dev/null +++ b/package/iptables/patches/1.3.8/003-layer7_2.17_pktmatch.patch @@ -0,0 +1,42 @@ +Index: iptables-1.3.8/extensions/libipt_layer7.c +=================================================================== +--- iptables-1.3.8.orig/extensions/libipt_layer7.c ++++ iptables-1.3.8/extensions/libipt_layer7.c +@@ -37,7 +37,8 @@ static void help(void) + "LAYER7 match v%s options:\n" + "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" + " (--l7dir must be specified before --l7proto if used!)\n" +- "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n", ++ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n" ++ "--l7pkt : Skip connection tracking and match individual packets\n", + IPTABLES_VERSION); + fputc('\n', stdout); + } +@@ -45,6 +46,7 @@ static void help(void) + static struct option opts[] = { + { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, + { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, ++ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' }, + { .name = 0 } + }; + +@@ -333,6 +335,9 @@ static int parse(int c, char **argv, int + + *flags = 1; + break; ++ case '3': ++ layer7info->pkt = 1; ++ break; + + default: + return 0; +@@ -365,6 +370,9 @@ static void print(const struct ipt_ip *i + + print_protocol(((struct ipt_layer7_info *)match->data)->protocol, + ((struct ipt_layer7_info *)match->data)->invert, numeric); ++ ++ if (((struct ipt_layer7_info *)match->data)->pkt) ++ printf("l7pkt "); + } + /* Saves the union ipt_matchinfo in parsable form to stdout. */ + static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) diff --git a/package/iptables/patches/1.3.8/004-drop_multiport_v0_support.patch b/package/iptables/patches/1.3.8/004-drop_multiport_v0_support.patch new file mode 100644 index 0000000000..e5cbeb6f34 --- /dev/null +++ b/package/iptables/patches/1.3.8/004-drop_multiport_v0_support.patch @@ -0,0 +1,222 @@ +Index: iptables-1.3.8/extensions/libipt_multiport.c +=================================================================== +--- iptables-1.3.8.orig/extensions/libipt_multiport.c ++++ iptables-1.3.8/extensions/libipt_multiport.c +@@ -8,24 +8,6 @@ + /* To ensure that iptables compiles with an old kernel */ + #include "../include/linux/netfilter_ipv4/ipt_multiport.h" + +-/* Function which prints out usage message. */ +-static void +-help(void) +-{ +- printf( +-"multiport v%s options:\n" +-" --source-ports port[,port,port...]\n" +-" --sports ...\n" +-" match source port(s)\n" +-" --destination-ports port[,port,port...]\n" +-" --dports ...\n" +-" match destination port(s)\n" +-" --ports port[,port,port]\n" +-" match both source and destination port(s)\n" +-" NOTE: this kernel does not support port ranges in multiport.\n", +-IPTABLES_VERSION); +-} +- + static void + help_v1(void) + { +@@ -70,26 +52,6 @@ proto_to_name(u_int8_t proto) + } + } + +-static unsigned int +-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) +-{ +- char *buffer, *cp, *next; +- unsigned int i; +- +- buffer = strdup(portstring); +- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); +- +- for (cp=buffer, i=0; cp && idata; +- +- switch (c) { +- case '1': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(entry); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = IPT_MULTIPORT_SOURCE; +- break; +- +- case '2': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(entry); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = IPT_MULTIPORT_DESTINATION; +- break; +- +- case '3': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(entry); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = IPT_MULTIPORT_EITHER; +- break; +- +- default: +- return 0; +- } +- +- if (invert) +- exit_error(PARAMETER_PROBLEM, +- "multiport does not support invert"); +- +- if (*flags) +- exit_error(PARAMETER_PROBLEM, +- "multiport can only have one option"); +- *flags = 1; +- return 1; +-} +- + static int + parse_v1(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, +@@ -284,43 +194,6 @@ print_port(u_int16_t port, u_int8_t prot + printf("%s", service); + } + +-/* Prints out the matchinfo. */ +-static void +-print(const struct ipt_ip *ip, +- const struct ipt_entry_match *match, +- int numeric) +-{ +- const struct ipt_multiport *multiinfo +- = (const struct ipt_multiport *)match->data; +- unsigned int i; +- +- printf("multiport "); +- +- switch (multiinfo->flags) { +- case IPT_MULTIPORT_SOURCE: +- printf("sports "); +- break; +- +- case IPT_MULTIPORT_DESTINATION: +- printf("dports "); +- break; +- +- case IPT_MULTIPORT_EITHER: +- printf("ports "); +- break; +- +- default: +- printf("ERROR "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], ip->proto, numeric); +- } +- printf(" "); +-} +- + static void + print_v1(const struct ipt_ip *ip, + const struct ipt_entry_match *match, +@@ -364,34 +237,6 @@ print_v1(const struct ipt_ip *ip, + printf(" "); + } + +-/* Saves the union ipt_matchinfo in parsable form to stdout. */ +-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +-{ +- const struct ipt_multiport *multiinfo +- = (const struct ipt_multiport *)match->data; +- unsigned int i; +- +- switch (multiinfo->flags) { +- case IPT_MULTIPORT_SOURCE: +- printf("--sports "); +- break; +- +- case IPT_MULTIPORT_DESTINATION: +- printf("--dports "); +- break; +- +- case IPT_MULTIPORT_EITHER: +- printf("--ports "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], ip->proto, 1); +- } +- printf(" "); +-} +- + static void save_v1(const struct ipt_ip *ip, + const struct ipt_entry_match *match) + { +@@ -427,19 +272,20 @@ static void save_v1(const struct ipt_ip + printf(" "); + } + ++ + static struct iptables_match multiport = { + .next = NULL, + .name = "multiport", +- .revision = 0, + .version = IPTABLES_VERSION, +- .size = IPT_ALIGN(sizeof(struct ipt_multiport)), +- .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport)), +- .help = &help, ++ .revision = 0, ++ .size = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), ++ .help = &help_v1, + .init = &init, +- .parse = &parse, ++ .parse = &parse_v1, + .final_check = &final_check, +- .print = &print, +- .save = &save, ++ .print = &print_v1, ++ .save = &save_v1, + .extra_opts = opts + }; + diff --git a/package/iptables/patches/1.3.8/005-imq1.patch b/package/iptables/patches/1.3.8/005-imq1.patch new file mode 100644 index 0000000000..f17ddeafd6 --- /dev/null +++ b/package/iptables/patches/1.3.8/005-imq1.patch @@ -0,0 +1,228 @@ +Index: iptables-1.3.8/extensions/.IMQ-test6 +=================================================================== +--- /dev/null ++++ iptables-1.3.8/extensions/.IMQ-test6 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_IMQ.c ] && echo IMQ +Index: iptables-1.3.8/extensions/libip6t_IMQ.c +=================================================================== +--- /dev/null ++++ iptables-1.3.8/extensions/libip6t_IMQ.c +@@ -0,0 +1,101 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Function which prints out usage message. */ ++static void ++help(void) ++{ ++ printf( ++"IMQ target v%s options:\n" ++" --todev enqueue to imq, defaults to 0\n", ++IPTABLES_VERSION); ++} ++ ++static struct option opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void ++init(struct ip6t_entry_target *t, unsigned int *nfcache) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data; ++ ++ mr->todev = 0; ++ *nfcache |= NFC_UNKNOWN; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ip6t_entry *entry, ++ struct ip6t_entry_target **target) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (check_inverse(optarg, &invert, NULL, 0)) ++ exit_error(PARAMETER_PROBLEM, ++ "Unexpected `!' after --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void ++final_check(unsigned int flags) ++{ ++} ++ ++/* Prints out the targinfo. */ ++static void ++print(const struct ip6t_ip6 *ip, ++ const struct ip6t_entry_target *target, ++ int numeric) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void ++save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct ip6tables_target imq = { ++ .next = NULL, ++ .name = "IMQ", ++ .version = IPTABLES_VERSION, ++ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), ++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++static __attribute__((constructor)) void _init(void) ++{ ++ register_target6(&imq); ++} +Index: iptables-1.3.8/extensions/.IMQ-test +=================================================================== +--- /dev/null ++++ iptables-1.3.8/extensions/.IMQ-test +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IMQ.c ] && echo IMQ +Index: iptables-1.3.8/extensions/libipt_IMQ.c +=================================================================== +--- /dev/null ++++ iptables-1.3.8/extensions/libipt_IMQ.c +@@ -0,0 +1,101 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Function which prints out usage message. */ ++static void ++help(void) ++{ ++ printf( ++"IMQ target v%s options:\n" ++" --todev enqueue to imq, defaults to 0\n", ++IPTABLES_VERSION); ++} ++ ++static struct option opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void ++init(struct ipt_entry_target *t, unsigned int *nfcache) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data; ++ ++ mr->todev = 0; ++ *nfcache |= NFC_UNKNOWN; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, ++ struct ipt_entry_target **target) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (check_inverse(optarg, &invert, NULL, 0)) ++ exit_error(PARAMETER_PROBLEM, ++ "Unexpected `!' after --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void ++final_check(unsigned int flags) ++{ ++} ++ ++/* Prints out the targinfo. */ ++static void ++print(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target, ++ int numeric) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void ++save(const struct ipt_ip *ip, const struct ipt_entry_target *target) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct iptables_target imq = { ++ .next = NULL, ++ .name = "IMQ", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++static __attribute__((constructor)) void _init(void) ++{ ++ register_target(&imq); ++} diff --git a/package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch b/package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch new file mode 100644 index 0000000000..3b32b948b3 --- /dev/null +++ b/package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch @@ -0,0 +1,454 @@ +Index: iptables-1.4.0/extensions/Makefile +=================================================================== +--- iptables-1.4.0.orig/extensions/Makefile ++++ iptables-1.4.0/extensions/Makefile +@@ -19,6 +19,10 @@ PF6_EXT_SE_SLIB:=$(PF6_EXT_SELINUX_SLIB) + PFX_EXT_SE_SLIB:=$(PFX_EXT_SELINUX_SLIB) + endif + ++ ++# ipp2p ++PF_EXT_SLIB += ipp2p ++ + # Optionals + PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) + PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) +Index: iptables-1.4.0/extensions/libipt_ipp2p.c +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libipt_ipp2p.c +@@ -0,0 +1,398 @@ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++static void ++help(void) ++{ ++ printf( ++ "IPP2P v%s options:\n" ++ " --ipp2p Grab all known p2p packets\n" ++ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n" ++ " --dc [TCP] All known Direct Connect packets\n" ++ " --kazaa [TCP&UDP] All known KaZaA packets\n" ++ " --gnu [TCP&UDP] All known Gnutella packets\n" ++ " --bit [TCP&UDP] All known BitTorrent packets\n" ++ " --apple [TCP] All known AppleJuice packets\n" ++ " --winmx [TCP] All known WinMX\n" ++ " --soul [TCP] All known SoulSeek\n" ++ " --ares [TCP] All known Ares\n\n" ++ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n" ++ " --mute [TCP] All known Mute packets\n" ++ " --waste [TCP] All known Waste packets\n" ++ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n" ++ " DEBUG SUPPPORT, use only if you know why\n" ++ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n" ++ "\nNote that the follwing options will have the same meaning:\n" ++ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n" ++ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" ++ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" ++ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" ++ "\nExamples:\n" ++ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" ++ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" ++ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" ++ , IPP2P_VERSION); ++} ++ ++static struct option opts[] = { ++ { "ipp2p", 0, 0, '1' }, ++ { "edk", 0, 0, '2' }, ++ { "dc", 0, 0, '7' }, ++ { "gnu", 0, 0, '9' }, ++ { "kazaa", 0, 0, 'a' }, ++ { "bit", 0, 0, 'b' }, ++ { "apple", 0, 0, 'c' }, ++ { "soul", 0, 0, 'd' }, ++ { "winmx", 0, 0, 'e' }, ++ { "ares", 0, 0, 'f' }, ++ { "mute", 0, 0, 'g' }, ++ { "waste", 0, 0, 'h' }, ++ { "xdcc", 0, 0, 'i' }, ++ { "debug", 0, 0, 'j' }, ++ {0} ++}; ++ ++ ++ ++static void ++init(struct xt_entry_match *m) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; ++ ++ /*init the module with default values*/ ++ info->cmd = 0; ++ info->debug = 0; ++ ++} ++ ++ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, ++ struct xt_entry_match **match) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': /*cmd: ipp2p*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags) != 0) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += SHORT_HAND_IPP2P; ++ info->cmd = *flags; ++ break; ++ ++ case '2': /*cmd: edk*/ ++ if ((*flags & IPP2P_EDK) == IPP2P_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--edk' may only be " ++ "specified once"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_EDK; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '7': /*cmd: dc*/ ++ if ((*flags & IPP2P_DC) == IPP2P_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--dc' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DC; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '9': /*cmd: gnu*/ ++ if ((*flags & IPP2P_GNU) == IPP2P_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--gnu' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_GNU; ++ info->cmd = *flags; ++ break; ++ ++ case 'a': /*cmd: kazaa*/ ++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--kazaa' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_KAZAA; ++ info->cmd = *flags; ++ break; ++ ++ case 'b': /*cmd: bit*/ ++ if ((*flags & IPP2P_BIT) == IPP2P_BIT) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--bit' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_BIT; ++ info->cmd = *flags; ++ break; ++ ++ case 'c': /*cmd: apple*/ ++ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--apple' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_APPLE; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'd': /*cmd: soul*/ ++ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--soul' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_SOUL; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'e': /*cmd: winmx*/ ++ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--winmx' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WINMX; ++ info->cmd = *flags; ++ break; ++ ++ case 'f': /*cmd: ares*/ ++ if ((*flags & IPP2P_ARES) == IPP2P_ARES) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_ARES; ++ info->cmd = *flags; ++ break; ++ ++ case 'g': /*cmd: mute*/ ++ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--mute' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_MUTE; ++ info->cmd = *flags; ++ break; ++ case 'h': /*cmd: waste*/ ++ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--waste' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WASTE; ++ info->cmd = *flags; ++ break; ++ case 'i': /*cmd: xdcc*/ ++ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_XDCC; ++ info->cmd = *flags; ++ break; ++ ++ case 'j': /*cmd: debug*/ ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ info->debug = 1; ++ break; ++ ++ default: ++// exit_error(PARAMETER_PROBLEM, ++// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++ return 0; ++ } ++ return 1; ++} ++ ++ ++static void ++final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++} ++ ++ ++ ++static void ++print(const void *ip, ++ const struct xt_entry_match *match, ++ int numeric) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ printf("ipp2p v%s", IPP2P_VERSION); ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p"); ++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data"); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa"); ++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data"); ++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data"); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu"); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk"); ++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data"); ++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data"); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc"); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit"); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple"); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul"); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx"); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares"); ++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); ++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); ++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); ++ if (info->debug != 0) printf(" --debug"); ++ printf(" "); ++} ++ ++ ++ ++static void ++save(const void *ip, const struct xt_entry_match *match) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p "); ++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data "); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa "); ++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data "); ++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data "); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu "); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk "); ++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data "); ++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data "); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc "); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit "); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple "); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul "); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx "); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares "); ++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); ++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); ++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); ++ if (info->debug != 0) printf("--debug "); ++} ++ ++ ++ ++ ++static ++struct iptables_match ipp2p= ++{ ++ .family = AF_INET, ++ .name = "ipp2p", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .help = help, ++ .init = init, ++ .parse = parse, ++ .final_check = final_check, ++ .print = print, ++ .save = save, ++ .extra_opts = opts ++}; ++ ++ ++ ++void _init(void) ++{ ++ register_match(&ipp2p); ++} ++ +Index: iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h +=================================================================== +--- /dev/null ++++ iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h +@@ -0,0 +1,31 @@ ++#ifndef __IPT_IPP2P_H ++#define __IPT_IPP2P_H ++#define IPP2P_VERSION "0.8.1_rc1" ++ ++struct ipt_p2p_info { ++ int cmd; ++ int debug; ++}; ++ ++#endif //__IPT_IPP2P_H ++ ++#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ ++//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ ++#define SHORT_HAND_NONE 5 /* no short hand*/ ++ ++#define IPP2P_EDK (1 << 1) ++#define IPP2P_DATA_KAZAA (1 << 2) ++#define IPP2P_DATA_EDK (1 << 3) ++#define IPP2P_DATA_DC (1 << 4) ++#define IPP2P_DC (1 << 5) ++#define IPP2P_DATA_GNU (1 << 6) ++#define IPP2P_GNU (1 << 7) ++#define IPP2P_KAZAA (1 << 8) ++#define IPP2P_BIT (1 << 9) ++#define IPP2P_APPLE (1 << 10) ++#define IPP2P_SOUL (1 << 11) ++#define IPP2P_WINMX (1 << 12) ++#define IPP2P_ARES (1 << 13) ++#define IPP2P_MUTE (1 << 14) ++#define IPP2P_WASTE (1 << 15) ++#define IPP2P_XDCC (1 << 16) diff --git a/package/iptables/patches/1.4.0/002-layer7_2.17.patch b/package/iptables/patches/1.4.0/002-layer7_2.17.patch new file mode 100644 index 0000000000..ed19118b09 --- /dev/null +++ b/package/iptables/patches/1.4.0/002-layer7_2.17.patch @@ -0,0 +1,418 @@ +--- iptables-1.4.0rc1/extensions/libipt_layer7.c 1969-12-31 18:00:00.000000000 -0600 ++++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.c 2007-11-19 06:06:56.000000000 -0600 +@@ -0,0 +1,393 @@ ++/* ++ Shared library add-on to iptables to add layer 7 matching support. ++ ++ By Matthew Strait , Oct 2003. ++ ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++ ++ Based on libipt_string.c (C) 2000 Emmanuel Roger ++*/ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#define MAX_FN_LEN 256 ++ ++static char l7dir[MAX_FN_LEN] = "\0"; ++ ++/* Function which prints out usage message. */ ++static void help(void) ++{ ++ printf( ++ "LAYER7 match v%s options:\n" ++ "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" ++ " (--l7dir must be specified before --l7proto if used!)\n" ++ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n", ++ IPTABLES_VERSION); ++ fputc('\n', stdout); ++} ++ ++static struct option opts[] = { ++ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, ++ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, ++ { .name = 0 } ++}; ++ ++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ ++int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info) ++{ ++ FILE * f; ++ char * line = NULL; ++ size_t len = 0; ++ ++ enum { protocol, pattern, done } datatype = protocol; ++ ++ f = fopen(filename, "r"); ++ ++ if(!f) ++ return 0; ++ ++ while(getline(&line, &len, f) != -1) ++ { ++ if(strlen(line) < 2 || line[0] == '#') ++ continue; ++ ++ /* strip the pesky newline... */ ++ if(line[strlen(line) - 1] == '\n') ++ line[strlen(line) - 1] = '\0'; ++ ++ if(datatype == protocol) ++ { ++ /* Ignore everything on the line beginning with the ++ first space or tab . For instance, this allows the ++ protocol line in http.pat to be "http " (or ++ "http I am so cool") instead of just "http". */ ++ if(strchr(line, ' ')){ ++ char * space = strchr(line, ' '); ++ space[0] = '\0'; ++ } ++ if(strchr(line, '\t')){ ++ char * space = strchr(line, '\t'); ++ space[0] = '\0'; ++ } ++ ++ /* sanity check. First non-comment non-blank ++ line must be the same as the file name. */ ++ if(strcmp(line, protoname)) ++ exit_error(OTHER_PROBLEM, ++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", ++ line, filename); ++ ++ if(strlen(line) >= MAX_PROTOCOL_LEN) ++ exit_error(PARAMETER_PROBLEM, ++ "Protocol name in %s too long!", filename); ++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); ++ ++ datatype = pattern; ++ } ++ else if(datatype == pattern) ++ { ++ if(strlen(line) >= MAX_PATTERN_LEN) ++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); ++ strncpy(info->pattern, line, MAX_PATTERN_LEN); ++ ++ datatype = done; ++ break; ++ } ++ else ++ exit_error(OTHER_PROBLEM, "Internal error"); ++ } ++ ++ if(datatype != done) ++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); ++ ++ if(line) free(line); ++ fclose(f); ++ ++ return 1; ++ ++/* ++ fprintf(stderr, "protocol: %s\npattern: %s\n\n", ++ info->protocol, ++ info->pattern); ++*/ ++} ++ ++static int hex2dec(char c) ++{ ++ switch (c) ++ { ++ case '0' ... '9': ++ return c - '0'; ++ case 'a' ... 'f': ++ return c - 'a' + 10; ++ case 'A' ... 'F': ++ return c - 'A' + 10; ++ default: ++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); ++ return 0; ++ } ++} ++ ++/* takes a string with \xHH escapes and returns one with the characters ++they stand for */ ++static char * pre_process(char * s) ++{ ++ char * result = malloc(strlen(s) + 1); ++ int sindex = 0, rindex = 0; ++ while( sindex < strlen(s) ) ++ { ++ if( sindex + 3 < strlen(s) && ++ s[sindex] == '\\' && s[sindex+1] == 'x' && ++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) ++ { ++ /* carefully remember to call tolower here... */ ++ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + ++ hex2dec(s[sindex + 3] ) ); ++ ++ switch ( result[rindex] ) ++ { ++ case 0x24: ++ case 0x28: ++ case 0x29: ++ case 0x2a: ++ case 0x2b: ++ case 0x2e: ++ case 0x3f: ++ case 0x5b: ++ case 0x5c: ++ case 0x5d: ++ case 0x5e: ++ case 0x7c: ++ fprintf(stderr, ++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n" ++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n", ++ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]); ++ break; ++ case 0x00: ++ fprintf(stderr, ++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n"); ++ break; ++ default: ++ break; ++ } ++ ++ ++ sindex += 3; /* 4 total */ ++ } ++ else ++ result[rindex] = tolower(s[sindex]); ++ ++ sindex++; ++ rindex++; ++ } ++ result[rindex] = '\0'; ++ ++ return result; ++} ++ ++#define MAX_SUBDIRS 128 ++char ** readl7dir(char * dirname) ++{ ++ DIR * scratchdir; ++ struct dirent ** namelist; ++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); ++ ++ int n, d = 1; ++ subdirs[0] = ""; ++ ++ n = scandir(dirname, &namelist, 0, alphasort); ++ ++ if (n < 0) ++ { ++ perror("scandir"); ++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); ++ } ++ else ++ { ++ while(n--) ++ { ++ char fulldirname[MAX_FN_LEN]; ++ ++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); ++ ++ if((scratchdir = opendir(fulldirname)) != NULL) ++ { ++ closedir(scratchdir); ++ ++ if(!strcmp(namelist[n]->d_name, ".") || ++ !strcmp(namelist[n]->d_name, "..")) ++ /* do nothing */ ; ++ else ++ { ++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); ++ strcpy(subdirs[d], namelist[n]->d_name); ++ d++; ++ if(d >= MAX_SUBDIRS - 1) ++ { ++ fprintf(stderr, ++ "Too many subdirectories, skipping the rest!\n"); ++ break; ++ } ++ } ++ } ++ free(namelist[n]); ++ } ++ free(namelist); ++ } ++ ++ subdirs[d] = NULL; ++ ++ return subdirs; ++} ++ ++static void ++parse_layer7_protocol(const char *s, struct xt_layer7_info *info) ++{ ++ char filename[MAX_FN_LEN]; ++ char * dir = NULL; ++ char ** subdirs; ++ int n = 0, done = 0; ++ ++ if(strlen(l7dir) > 0) ++ dir = l7dir; ++ else ++ dir = "/etc/l7-protocols"; ++ ++ subdirs = readl7dir(dir); ++ ++ while(subdirs[n] != NULL) ++ { ++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); ++ ++ //fprintf(stderr, "Trying to find pattern in %s ... ", filename); ++ ++ if(c > MAX_FN_LEN) ++ { ++ exit_error(OTHER_PROBLEM, ++ "Filename beginning with %s is too long!\n", filename); ++ } ++ ++ /* read in the pattern from the file */ ++ if(parse_protocol_file(filename, s, info)) ++ { ++ //fprintf(stderr, "found\n"); ++ done = 1; ++ break; ++ } ++ ++ //fprintf(stderr, "not found\n"); ++ ++ n++; ++ } ++ ++ if(!done) ++ exit_error(OTHER_PROBLEM, ++ "Couldn't find a pattern definition file for %s.\n", s); ++ ++ /* process \xHH escapes and tolower everything. (our regex lib has no ++ case insensitivity option.) */ ++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); ++} ++ ++/* Function which parses command options; returns true if it ate an option */ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_match **match) ++{ ++ struct xt_layer7_info *layer7info = ++ (struct xt_layer7_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': ++ check_inverse(optarg, &invert, &optind, 0); ++ parse_layer7_protocol(argv[optind-1], layer7info); ++ if (invert) ++ layer7info->invert = 1; ++ *flags = 1; ++ break; ++ ++ case '2': ++ /* not going to use this, but maybe we need to strip a ! anyway (?) */ ++ check_inverse(optarg, &invert, &optind, 0); ++ ++ if(strlen(argv[optind-1]) >= MAX_FN_LEN) ++ exit_error(PARAMETER_PROBLEM, "directory name too long\n"); ++ ++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); ++ ++ *flags = 1; ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* Final check; must have specified --l7proto */ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "LAYER7 match: You must specify `--l7proto'"); ++} ++ ++static void print_protocol(char s[], int invert, int numeric) ++{ ++ fputs("l7proto ", stdout); ++ if (invert) fputc('!', stdout); ++ printf("%s ", s); ++} ++ ++/* Prints out the matchinfo. */ ++static void print(const void *ip, ++ const struct xt_entry_match *match, ++ int numeric) ++{ ++ printf("LAYER7 "); ++ ++ print_protocol(((struct xt_layer7_info *)match->data)->protocol, ++ ((struct xt_layer7_info *)match->data)->invert, numeric); ++} ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void save(const void *ip, const struct xt_entry_match *match) ++{ ++ const struct xt_layer7_info *info = ++ (const struct xt_layer7_info*) match->data; ++ ++ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol); ++} ++ ++static struct iptables_match layer7 = { ++ .name = "layer7", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct xt_layer7_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct xt_layer7_info)), ++ .help = &help, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_match(&layer7); ++} +--- iptables-1.4.0rc1/extensions/libipt_layer7.man 1969-12-31 18:00:00.000000000 -0600 ++++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.man 2007-11-19 05:49:46.000000000 -0600 +@@ -0,0 +1,14 @@ ++This module matches packets based on the application layer data of ++their connections. It uses regular expression matching to compare ++the application layer data to regular expressions found it the layer7 ++configuration files. This is an experimental module which can be found at ++http://l7-filter.sf.net. It takes two options. ++.TP ++.BI "--l7proto " "\fIprotocol\fP" ++Match the specified protocol. The protocol name must match a file ++name in /etc/l7-protocols/ or one of its first-level child directories. ++.TP ++.BI "--l7dir " "\fIdirectory\fP" ++Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be ++specified before --l7proto. ++ +--- iptables-1.4.0rc1/extensions/.layer7-test 1969-12-31 18:00:00.000000000 -0600 ++++ iptables-1.4.0rc1-layer7/extensions/.layer7-test 2007-11-19 06:18:58.000000000 -0600 +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7 diff --git a/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch b/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch new file mode 100644 index 0000000000..dd6efc15dc --- /dev/null +++ b/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch @@ -0,0 +1,43 @@ +Index: iptables-1.4.0/extensions/libipt_layer7.c +=================================================================== +--- iptables-1.4.0.orig/extensions/libipt_layer7.c ++++ iptables-1.4.0/extensions/libipt_layer7.c +@@ -43,7 +43,8 @@ static void help(void) + "LAYER7 match v%s options:\n" + "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" + " (--l7dir must be specified before --l7proto if used!)\n" +- "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n", ++ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n" ++ "--l7pkt : Skip connection tracking and match individual packets\n", + IPTABLES_VERSION); + fputc('\n', stdout); + } +@@ -51,6 +52,7 @@ static void help(void) + static struct option opts[] = { + { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, + { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, ++ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' }, + { .name = 0 } + }; + +@@ -339,6 +341,10 @@ static int parse(int c, char **argv, int + *flags = 1; + break; + ++ case '3': ++ layer7info->pkt = 1; ++ break; ++ + default: + return 0; + } +@@ -370,6 +376,9 @@ static void print(const void *ip, + + print_protocol(((struct xt_layer7_info *)match->data)->protocol, + ((struct xt_layer7_info *)match->data)->invert, numeric); ++ ++ if (((struct xt_layer7_info *)match->data)->pkt) ++ printf("l7pkt "); + } + /* Saves the union ipt_matchinfo in parsable form to stdout. */ + static void save(const void *ip, const struct xt_entry_match *match) diff --git a/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch b/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch new file mode 100644 index 0000000000..0f6e01b19d --- /dev/null +++ b/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch @@ -0,0 +1,279 @@ +Index: iptables-1.4.0/extensions/libxt_multiport.c +=================================================================== +--- iptables-1.4.0.orig/extensions/libxt_multiport.c ++++ iptables-1.4.0/extensions/libxt_multiport.c +@@ -12,22 +12,6 @@ + #include "../include/linux/netfilter/xt_multiport.h" + + /* Function which prints out usage message. */ +-static void multiport_help(void) +-{ +- printf( +-"multiport v%s options:\n" +-" --source-ports port[,port,port...]\n" +-" --sports ...\n" +-" match source port(s)\n" +-" --destination-ports port[,port,port...]\n" +-" --dports ...\n" +-" match destination port(s)\n" +-" --ports port[,port,port]\n" +-" match both source and destination port(s)\n" +-" NOTE: this kernel does not support port ranges in multiport.\n", +-IPTABLES_VERSION); +-} +- + static void multiport_help_v1(void) + { + printf( +@@ -71,26 +55,6 @@ proto_to_name(u_int8_t proto) + } + } + +-static unsigned int +-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) +-{ +- char *buffer, *cp, *next; +- unsigned int i; +- +- buffer = strdup(portstring); +- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); +- +- for (cp=buffer, i=0; cp && idata; +- +- switch (c) { +- case '1': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_SOURCE; +- break; +- +- case '2': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_DESTINATION; +- break; +- +- case '3': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_EITHER; +- break; +- +- default: +- return 0; +- } +- +- if (invert) +- exit_error(PARAMETER_PROBLEM, +- "multiport does not support invert"); +- +- if (*flags) +- exit_error(PARAMETER_PROBLEM, +- "multiport can only have one option"); +- *flags = 1; +- return 1; +-} +- +-static int +-multiport_parse(int c, char **argv, int invert, unsigned int *flags, +- const void *e, struct xt_entry_match **match) +-{ +- const struct ipt_entry *entry = e; +- return __multiport_parse(c, argv, invert, flags, match, +- entry->ip.proto, entry->ip.invflags); +-} +- +-static int +-multiport_parse6(int c, char **argv, int invert, unsigned int *flags, +- const void *e, struct xt_entry_match **match) +-{ +- const struct ip6t_entry *entry = (const struct ip6t_entry *)e; +- return __multiport_parse(c, argv, invert, flags, match, +- entry->ipv6.proto, entry->ipv6.invflags); +-} +- +-static int + __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags, + struct xt_entry_match **match, u_int16_t pnum, + u_int8_t invflags) +@@ -313,55 +210,6 @@ print_port(u_int16_t port, u_int8_t prot + } + + /* Prints out the matchinfo. */ +-static void +-__multiport_print(const struct xt_entry_match *match, int numeric, +- u_int16_t proto) +-{ +- const struct xt_multiport *multiinfo +- = (const struct xt_multiport *)match->data; +- unsigned int i; +- +- printf("multiport "); +- +- switch (multiinfo->flags) { +- case XT_MULTIPORT_SOURCE: +- printf("sports "); +- break; +- +- case XT_MULTIPORT_DESTINATION: +- printf("dports "); +- break; +- +- case XT_MULTIPORT_EITHER: +- printf("ports "); +- break; +- +- default: +- printf("ERROR "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], proto, numeric); +- } +- printf(" "); +-} +- +-static void multiport_print(const void *ip_void, +- const struct xt_entry_match *match, int numeric) +-{ +- const struct ipt_ip *ip = ip_void; +- __multiport_print(match, numeric, ip->proto); +-} +- +-static void multiport_print6(const void *ip_void, +- const struct xt_entry_match *match, int numeric) +-{ +- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void; +- __multiport_print(match, numeric, ip->proto); +-} +- + static void __multiport_print_v1(const struct xt_entry_match *match, + int numeric, u_int16_t proto) + { +@@ -418,48 +266,6 @@ static void multiport_print6_v1(const vo + } + + /* Saves the union ipt_matchinfo in parsable form to stdout. */ +-static void __multiport_save(const struct xt_entry_match *match, +- u_int16_t proto) +-{ +- const struct xt_multiport *multiinfo +- = (const struct xt_multiport *)match->data; +- unsigned int i; +- +- switch (multiinfo->flags) { +- case XT_MULTIPORT_SOURCE: +- printf("--sports "); +- break; +- +- case XT_MULTIPORT_DESTINATION: +- printf("--dports "); +- break; +- +- case XT_MULTIPORT_EITHER: +- printf("--ports "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], proto, 1); +- } +- printf(" "); +-} +- +-static void multiport_save(const void *ip_void, +- const struct xt_entry_match *match) +-{ +- const struct ipt_ip *ip = ip_void; +- __multiport_save(match, ip->proto); +-} +- +-static void multiport_save6(const void *ip_void, +- const struct xt_entry_match *match) +-{ +- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void; +- __multiport_save(match, ip->proto); +-} +- + static void __multiport_save_v1(const struct xt_entry_match *match, + u_int16_t proto) + { +@@ -509,36 +315,6 @@ static void multiport_save6_v1(const voi + __multiport_save_v1(match, ip->proto); + } + +-static struct xtables_match multiport_match = { +- .family = AF_INET, +- .name = "multiport", +- .revision = 0, +- .version = IPTABLES_VERSION, +- .size = XT_ALIGN(sizeof(struct xt_multiport)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), +- .help = multiport_help, +- .parse = multiport_parse, +- .final_check = multiport_check, +- .print = multiport_print, +- .save = multiport_save, +- .extra_opts = multiport_opts, +-}; +- +-static struct xtables_match multiport_match6 = { +- .family = AF_INET6, +- .name = "multiport", +- .revision = 0, +- .version = IPTABLES_VERSION, +- .size = XT_ALIGN(sizeof(struct xt_multiport)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), +- .help = multiport_help, +- .parse = multiport_parse6, +- .final_check = multiport_check, +- .print = multiport_print6, +- .save = multiport_save6, +- .extra_opts = multiport_opts, +-}; +- + static struct xtables_match multiport_match_v1 = { + .family = AF_INET, + .name = "multiport", +@@ -572,8 +348,6 @@ static struct xtables_match multiport_ma + void + _init(void) + { +- xtables_register_match(&multiport_match); +- xtables_register_match(&multiport_match6); + xtables_register_match(&multiport_match_v1); + xtables_register_match(&multiport_match6_v1); + } diff --git a/package/iptables/patches/1.4.0/005-imq1.patch b/package/iptables/patches/1.4.0/005-imq1.patch new file mode 100644 index 0000000000..63617076bd --- /dev/null +++ b/package/iptables/patches/1.4.0/005-imq1.patch @@ -0,0 +1,219 @@ +--- iptables-1.4.0.orig/extensions.orig/.IMQ-test6 Thu Jan 1 01:00:00 1970 ++++ iptables-1.4.0/extensions/.IMQ-test6 Mon Jun 16 10:12:47 2003 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_IMQ.h ] && echo IMQ +--- iptables-1.4.0.orig/extensions.orig/libip6t_IMQ.c Thu Jan 1 01:00:00 1970 ++++ iptables-1.4.0/extensions/libip6t_IMQ.c Mon Jun 16 10:12:47 2003 +@@ -0,0 +1,100 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Function which prints out usage message. */ ++static void ++help(void) ++{ ++ printf( ++"IMQ target v%s options:\n" ++" --todev enqueue to imq, defaults to 0\n", ++IPTABLES_VERSION); ++} ++ ++static struct option opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void ++init(struct xt_entry_target *t) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data; ++ ++ mr->todev = 0; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, ++ struct xt_entry_target **target) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (check_inverse(optarg, &invert, NULL, 0)) ++ exit_error(PARAMETER_PROBLEM, ++ "Unexpected `!' after --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void ++final_check(unsigned int flags) ++{ ++} ++ ++/* Prints out the targinfo. */ ++static void ++print(const void *ip, ++ const struct xt_entry_target *target, ++ int numeric) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void ++save(const void *ip, const struct xt_entry_target *target) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct ip6tables_target imq = { ++ .next = NULL, ++ .name = "IMQ", ++ .version = IPTABLES_VERSION, ++ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), ++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++static __attribute__((constructor)) void _init(void) ++{ ++ register_target6(&imq); ++} +--- iptables-1.4.0.orig/extensions.orig/.IMQ-test Thu Jan 1 01:00:00 1970 ++++ iptables-1.4.0/extensions/.IMQ-test Mon Jun 16 10:12:47 2003 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ +--- iptables-1.4.0.orig/extensions.orig/libipt_IMQ.c Thu Jan 1 01:00:00 1970 ++++ iptables-1.4.0/extensions/libipt_IMQ.c Mon Jun 16 10:12:47 2003 +@@ -0,0 +1,100 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Function which prints out usage message. */ ++static void ++help(void) ++{ ++ printf( ++"IMQ target v%s options:\n" ++" --todev enqueue to imq, defaults to 0\n", ++IPTABLES_VERSION); ++} ++ ++static struct option opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void ++init(struct xt_entry_target *t) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data; ++ ++ mr->todev = 0; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, ++ struct xt_entry_target **target) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (check_inverse(optarg, &invert, NULL, 0)) ++ exit_error(PARAMETER_PROBLEM, ++ "Unexpected `!' after --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void ++final_check(unsigned int flags) ++{ ++} ++ ++/* Prints out the targinfo. */ ++static void ++print(const void *ip, ++ const struct xt_entry_target *target, ++ int numeric) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void ++save(const void *ip, const struct xt_entry_target *target) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct iptables_target imq = { ++ .next = NULL, ++ .name = "IMQ", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++static __attribute__((constructor)) void _init(void) ++{ ++ register_target(&imq); ++} + diff --git a/package/iptables/patches/1.4.0/006-chaostables_0.8.patch b/package/iptables/patches/1.4.0/006-chaostables_0.8.patch new file mode 100644 index 0000000000..a9eb14544f --- /dev/null +++ b/package/iptables/patches/1.4.0/006-chaostables_0.8.patch @@ -0,0 +1,393 @@ +Index: iptables-1.4.0/extensions/.CHAOS-testx +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/.CHAOS-testx +@@ -0,0 +1,3 @@ ++#! /bin/sh ++ ++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS" +Index: iptables-1.4.0/extensions/libxt_CHAOS.c +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_CHAOS.c +@@ -0,0 +1,114 @@ ++/* ++ * CHAOS target for iptables ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++enum { ++ F_DELUDE = 1 << 0, ++ F_TARPIT = 1 << 1, ++}; ++ ++static const struct option chaos_tg_opts[] = { ++ {.name = "delude", .has_arg = false, .val = 'd'}, ++ {.name = "tarpit", .has_arg = false, .val = 't'}, ++ {}, ++}; ++ ++static void chaos_tg_help(void) ++{ ++ printf( ++ "CHAOS target v%s options:\n" ++ " --delude Enable DELUDE processing for TCP\n" ++ " --tarpit Enable TARPIT processing for TCP\n", ++ IPTABLES_VERSION); ++ return; ++} ++ ++static int chaos_tg_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ struct xt_chaos_target_info *info = (void *)((*target)->data); ++ switch (c) { ++ case 'd': ++ info->variant = XTCHAOS_DELUDE; ++ *flags |= F_DELUDE; ++ return true; ++ case 't': ++ info->variant = XTCHAOS_TARPIT; ++ *flags |= F_TARPIT; ++ return true; ++ } ++ return false; ++} ++ ++static void chaos_tg_check(unsigned int flags) ++{ ++ if ((flags & (F_DELUDE | F_TARPIT)) == (F_DELUDE | F_TARPIT)) ++ /* If flags == 0x03, both were specified, which should not be. */ ++ exit_error(PARAMETER_PROBLEM, ++ "CHAOS: only one of --tarpit or --delude " ++ "may be specified"); ++ return; ++} ++ ++static void chaos_tg_print(const void *ip, ++ const struct xt_entry_target *target, int numeric) ++{ ++ const struct xt_chaos_target_info *info = (const void *)target->data; ++ switch (info->variant) { ++ case XTCHAOS_DELUDE: ++ printf("DELUDE "); ++ break; ++ case XTCHAOS_TARPIT: ++ printf("TARPIT "); ++ break; ++ } ++ return; ++} ++ ++static void chaos_tg_save(const void *ip, const struct xt_entry_target *target) ++{ ++ const struct xt_chaos_target_info *info = (const void *)target->data; ++ switch (info->variant) { ++ case XTCHAOS_DELUDE: ++ printf("--delude "); ++ break; ++ case XTCHAOS_TARPIT: ++ printf("--tarpit "); ++ break; ++ } ++ return; ++} ++ ++static struct xtables_target chaos_tg_reg = { ++ .version = IPTABLES_VERSION, ++ .name = "CHAOS", ++ .family = AF_INET, ++ .size = XT_ALIGN(sizeof(struct xt_chaos_target_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_chaos_target_info)), ++ .help = chaos_tg_help, ++ .parse = chaos_tg_parse, ++ .final_check = chaos_tg_check, ++ .print = chaos_tg_print, ++ .save = chaos_tg_save, ++ .extra_opts = chaos_tg_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_target(&chaos_tg_reg); ++ return; ++} +Index: iptables-1.4.0/extensions/libxt_CHAOS.man +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_CHAOS.man +@@ -0,0 +1,18 @@ ++Causes confusion on the other end by doing odd things with incoming packets. ++CHAOS will randomly reply (or not) with one of its configurable subtargets: ++.TP ++\fB--delude\fR ++Use the REJECT and DELUDE targets as a base to do a sudden or deferred ++connection reset, fooling some network scanners to return non-deterministic ++(randomly open/closed) results, and in case it is deemed open, it is actually ++closed/filtered. ++.TP ++\fB--tarpit\fR ++Use the REJECT and TARPIT target as a base to hold the connection until it ++times out. This consumes conntrack entries when connection tracking is loaded ++(which usually is on most machines), and routers inbetween you and the Internet ++may fail to do their connection tracking if they have to handle more ++connections than they can. ++.PP ++The randomness factor of not replying vs. replying can be set during load-time ++of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters. +Index: iptables-1.4.0/extensions/.DELUDE-testx +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/.DELUDE-testx +@@ -0,0 +1,3 @@ ++#! /bin/sh ++ ++[ -f "$KERNEL_DIR/net/netfilter/xt_DELUDE.c" ] && echo "DELUDE" +Index: iptables-1.4.0/extensions/libxt_DELUDE.c +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_DELUDE.c +@@ -0,0 +1,49 @@ ++/* ++ * DELUDE target for iptables ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++ ++#include ++#include ++ ++static void delude_tg_help(void) ++{ ++ printf("DELUDE takes no options\n"); ++ return; ++} ++ ++static int delude_tg_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ return 0; ++} ++ ++static void delude_tg_check(unsigned int flags) ++{ ++ return; ++} ++ ++static struct xtables_target delude_tg_reg = { ++ .version = IPTABLES_VERSION, ++ .name = "DELUDE", ++ .family = AF_INET, ++ .size = XT_ALIGN(0), ++ .userspacesize = XT_ALIGN(0), ++ .help = delude_tg_help, ++ .parse = delude_tg_parse, ++ .final_check = delude_tg_check, ++}; ++ ++void _init(void) ++{ ++ xtables_register_target(&delude_tg_reg); ++ return; ++} +Index: iptables-1.4.0/extensions/libxt_DELUDE.man +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_DELUDE.man +@@ -0,0 +1,4 @@ ++The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other ++packets with an RST. This will terminate the connection much like REJECT, but ++network scanners doing TCP half-open discovery can be spoofed to make them ++belive the port is open rather than closed/filtered. +Index: iptables-1.4.0/extensions/.portscan-testx +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/.portscan-testx +@@ -0,0 +1,3 @@ ++#! /bin/sh ++ ++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan" +Index: iptables-1.4.0/extensions/libxt_portscan.c +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_portscan.c +@@ -0,0 +1,127 @@ ++/* ++ * portscan match for iptables ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++static const struct option portscan_mt_opts[] = { ++ {.name = "stealth", .has_arg = false, .val = 'x'}, ++ {.name = "synscan", .has_arg = false, .val = 's'}, ++ {.name = "cnscan", .has_arg = false, .val = 'c'}, ++ {.name = "grscan", .has_arg = false, .val = 'g'}, ++ {}, ++}; ++ ++static void portscan_mt_help(void) ++{ ++ printf( ++ "portscan match v%s options:\n" ++ "(Combining them will make them match by OR-logic)\n" ++ " --stealth Match TCP Stealth packets\n" ++ " --synscan Match TCP SYN scans\n" ++ " --cnscan Match TCP Connect scans\n" ++ " --grscan Match Banner Grabbing scans\n", ++ IPTABLES_VERSION); ++ return; ++} ++ ++static int portscan_mt_parse(int c, char **argv, int invert, ++ unsigned int *flags, const void *entry, struct xt_entry_match **match) ++{ ++ struct xt_portscan_match_info *info = (void *)((*match)->data); ++ ++ switch (c) { ++ case 'c': ++ info->match_cn = true; ++ return true; ++ case 'g': ++ info->match_gr = true; ++ return true; ++ case 's': ++ info->match_syn = true; ++ return true; ++ case 'x': ++ info->match_stealth = true; ++ return true; ++ } ++ return false; ++} ++ ++static void portscan_mt_check(unsigned int flags) ++{ ++ return; ++} ++ ++static void portscan_mt_print(const void *ip, ++ const struct xt_entry_match *match, int numeric) ++{ ++ const struct xt_portscan_match_info *info = (const void *)(match->data); ++ const char *s = ""; ++ ++ printf("portscan "); ++ if (info->match_stealth) { ++ printf("STEALTH"); ++ s = ","; ++ } ++ if (info->match_syn) { ++ printf("%sSYNSCAN", s); ++ s = ","; ++ } ++ if (info->match_cn) { ++ printf("%sCNSCAN", s); ++ s = ","; ++ } ++ if (info->match_gr) ++ printf("%sGRSCAN", s); ++ printf(" "); ++ return; ++} ++ ++static void portscan_mt_save(const void *ip, const struct xt_entry_match *match) ++{ ++ const struct xt_portscan_match_info *info = (const void *)(match->data); ++ ++ if (info->match_stealth) ++ printf("--stealth "); ++ if (info->match_syn) ++ printf("--synscan "); ++ if (info->match_cn) ++ printf("--cnscan "); ++ if (info->match_gr) ++ printf("--grscan "); ++ return; ++} ++ ++static struct xtables_match portscan_mt_reg = { ++ .version = IPTABLES_VERSION, ++ .name = "portscan", ++ .family = AF_INET, ++ .size = XT_ALIGN(sizeof(struct xt_portscan_match_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_match_info)), ++ .help = portscan_mt_help, ++ .parse = portscan_mt_parse, ++ .final_check = portscan_mt_check, ++ .print = portscan_mt_print, ++ .save = portscan_mt_save, ++ .extra_opts = portscan_mt_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&portscan_mt_reg); ++ return; ++} +Index: iptables-1.4.0/extensions/libxt_portscan.man +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_portscan.man +@@ -0,0 +1,27 @@ ++Detects simple port scan attemps based upon the packet's contents. (This is ++different from other implementations, which also try to match the rate of new ++connections.) Note that an attempt is only discovered after it has been carried ++out, but this information can be used in conjunction with other rules to block ++the remote host's future connections. So this match module will match on the ++(probably) last packet the remote side will send to your machine. ++.TP ++\fB--stealth\fR ++Match if the packet did not belong to any known TCP connection ++(Stealth/FIN/XMAS/NULL scan). ++.TP ++\fB--synscan\fR ++Match if the connection was a TCP half-open discovery (SYN scan), i.e. the ++connection was torn down after the 2nd packet in the 3-way handshake. ++.TP ++\fB--cnscan\fR ++Match if the connection was a TCP full open discovery (connect scan), i.e. the ++connection was torn down after completion of the 3-way handshake. ++.TP ++\fB--grscan\fR ++Match if data in the connection only flew in the direction of the remote side, ++e.g. if the connection was terminated after a locally running daemon sent its ++identification. (e.g. openssh) ++.PP ++NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan, ++so be advised to carefully use xt_portscan in conjunction with blocking rules, ++as it may lock out your very own internal network. diff --git a/package/iptables/patches/1.4.0/007-tarpit_support.patch b/package/iptables/patches/1.4.0/007-tarpit_support.patch new file mode 100644 index 0000000000..f1914f90be --- /dev/null +++ b/package/iptables/patches/1.4.0/007-tarpit_support.patch @@ -0,0 +1,106 @@ +Index: iptables-1.4.0/extensions/libxt_TARPIT.c +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_TARPIT.c +@@ -0,0 +1,55 @@ ++/* Shared library add-on to iptables to add TARPIT target support */ ++#include ++#include ++ ++#include ++#include ++ ++static void TARPIT_help(void) ++{ ++ fputs( ++"TARPIT takes no options\n" ++"\n", stdout); ++} ++ ++static struct option TARPIT_opts[] = { ++ { 0 } ++}; ++ ++static int TARPIT_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ return 0; ++} ++ ++static void TARPIT_final_check(unsigned int flags) ++{ ++} ++ ++static void TARPIT_print(const void *ip, const struct xt_entry_target *target, ++ int numeric) ++{ ++} ++ ++static void TARPIT_save(const void *ip, const struct xt_entry_target *target) ++{ ++} ++ ++static struct xtables_target tarpit_target = { ++ .family = AF_INET, ++ .name = "TARPIT", ++ .version = IPTABLES_VERSION, ++ .size = XT_ALIGN(0), ++ .userspacesize = XT_ALIGN(0), ++ .help = TARPIT_help, ++ .parse = TARPIT_parse, ++ .final_check = TARPIT_final_check, ++ .print = TARPIT_print, ++ .save = TARPIT_save, ++ .extra_opts = TARPIT_opts ++}; ++ ++void _init(void) ++{ ++ xtables_register_target(&tarpit_target); ++} +Index: iptables-1.4.0/extensions/libxt_TARPIT.man +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_TARPIT.man +@@ -0,0 +1,34 @@ ++Captures and holds incoming TCP connections using no local ++per-connection resources. Connections are accepted, but immediately ++switched to the persist state (0 byte window), in which the remote ++side stops sending data and asks to continue every 60-240 seconds. ++Attempts to close the connection are ignored, forcing the remote side ++to time out the connection in 12-24 minutes. ++ ++This offers similar functionality to LaBrea ++ but doesn't require dedicated ++hardware or IPs. Any TCP port that you would normally DROP or REJECT ++can instead become a tarpit. ++ ++To tarpit connections to TCP port 80 destined for the current machine: ++.IP ++iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT ++.P ++To significantly slow down Code Red/Nimda-style scans of unused address ++space, forward unused ip addresses to a Linux box not acting as a router ++(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP ++forwarding on the Linux box, and add: ++.IP ++iptables -A FORWARD -p tcp -j TARPIT ++.IP ++iptables -A FORWARD -j DROP ++.TP ++NOTE: ++If you use the conntrack module while you are using TARPIT, you should ++also use the NOTRACK target, or the kernel will unnecessarily allocate ++resources for each TARPITted connection. To TARPIT incoming ++connections to the standard IRC port while using conntrack, you could: ++.IP ++iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK ++.IP ++iptables -A INPUT -p tcp --dport 6667 -j TARPIT +Index: iptables-1.4.0/extensions/.TARPIT-testx +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/.TARPIT-testx +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f "$KERNEL_DIR/net/netfilter/xt_TARPIT.c" ] && echo "TARPIT" diff --git a/package/kernel/modules/netfilter.mk b/package/kernel/modules/netfilter.mk index 61a4013c39..bafb5ea92e 100644 --- a/package/kernel/modules/netfilter.mk +++ b/package/kernel/modules/netfilter.mk @@ -1,4 +1,4 @@ -# +# # Copyright (C) 2006 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. @@ -19,9 +19,9 @@ endef define KernelPackage/ipt-conntrack/description Netfilter (IPv4) kernel modules for connection tracking - Includes: - - ipt_conntrack - - ipt_helper + Includes: + - ipt_conntrack + - ipt_helper - ipt_connmark/CONNMARK endef @@ -37,9 +37,9 @@ define KernelPackage/ipt-filter endef define KernelPackage/ipt-filter/description - Netfilter (IPv4) kernel modules for packet content inspection - Includes: - - ipt_ipp2p + Netfilter (IPv4) kernel modules for packet content inspection + Includes: + - ipt_ipp2p - ipt_layer7 endef @@ -55,16 +55,16 @@ define KernelPackage/ipt-ipopt endef define KernelPackage/ipt-ipopt/description - Netfilter (IPv4) modules for matching/changing IP packet options - Includes: - - ipt_CLASSIFY - - ipt_dscp/DSCP - - ipt_ecn/ECN - - ipt_length - - ipt_mac - - ipt_tos/TOS - - ipt_tcpmms - - ipt_ttl/TTL + Netfilter (IPv4) modules for matching/changing IP packet options + Includes: + - ipt_CLASSIFY + - ipt_dscp/DSCP + - ipt_ecn/ECN + - ipt_length + - ipt_mac + - ipt_tos/TOS + - ipt_tcpmms + - ipt_ttl/TTL - ipt_unclean endef @@ -80,9 +80,9 @@ define KernelPackage/ipt-ipsec endef define KernelPackage/ipt-ipsec/description - Netfilter (IPv4) modules for matching IPSec packets - Includes: - - ipt_ah + Netfilter (IPv4) modules for matching IPSec packets + Includes: + - ipt_ah - ipt_esp endef @@ -98,9 +98,9 @@ define KernelPackage/ipt-nat endef define KernelPackage/ipt-nat/description - Netfilter (IPv4) modules for extra NAT targets - Includes: - - ipt_REDIRECT + Netfilter (IPv4) modules for extra NAT targets + Includes: + - ipt_REDIRECT - ipt_NETMAP endef @@ -116,12 +116,12 @@ define KernelPackage/ipt-nathelper endef define KernelPackage/ipt-nathelper/description - Default Netfilter (IPv4) Conntrack and NAT helpers - Includes: - - ip_conntrack_ftp - - ip_nat_ftp - - ip_conntrack_irc - - ip_nat_irc + Default Netfilter (IPv4) Conntrack and NAT helpers + Includes: + - ip_conntrack_ftp + - ip_nat_ftp + - ip_conntrack_irc + - ip_nat_irc - ip_conntrack_tftp endef @@ -137,15 +137,15 @@ define KernelPackage/ipt-nathelper-extra endef define KernelPackage/ipt-nathelper-extra/description - Extra Netfilter (IPv4) Conntrack and NAT helpers - Includes: - - ip_conntrack_amanda - - ip_conntrack_proto_gre - - ip_nat_proto_gre - - ip_conntrack_pptp - - ip_nat_pptp - - ip_conntrack_sip - - ip_nat_sip + Extra Netfilter (IPv4) Conntrack and NAT helpers + Includes: + - ip_conntrack_amanda + - ip_conntrack_proto_gre + - ip_nat_proto_gre + - ip_conntrack_pptp + - ip_nat_pptp + - ip_conntrack_sip + - ip_nat_sip - ip_nat_snmp_basic endef @@ -176,8 +176,8 @@ define KernelPackage/ipt-queue endef define KernelPackage/ipt-queue/description - Netfilter (IPv4) module for user-space packet queueing - Includes: + Netfilter (IPv4) module for user-space packet queueing + Includes: - ipt_QUEUE endef @@ -193,8 +193,8 @@ define KernelPackage/ipt-ulog endef define KernelPackage/ipt-ulog/description - Netfilter (IPv4) module for user-space packet logging - Includes: + Netfilter (IPv4) module for user-space packet logging + Includes: - ipt_ULOG endef @@ -209,8 +209,8 @@ define KernelPackage/ipt-iprange endef define KernelPackage/ipt-iprange/description - Netfilter (IPv4) module for matching ip ranges - Includes: + Netfilter (IPv4) module for matching ip ranges + Includes: - ipt_IPRANGE endef @@ -227,17 +227,17 @@ endef define KernelPackage/ipt-ipset/description Netfilter kernel modules for ipset - Includes: - - ip_set - - ip_set_iphash - - ip_set_ipmap - - ip_set_ipporthash - - ip_set_iptree + Includes: + - ip_set + - ip_set_iphash + - ip_set_ipmap + - ip_set_ipporthash + - ip_set_iptree - ip_set_iptreemap - - ip_set_macipmap - - ip_set_nethash - - ip_set_portmap - - ipt_set + - ip_set_macipmap + - ip_set_nethash + - ip_set_portmap + - ipt_set - ipt_SET endef @@ -254,17 +254,17 @@ endef define KernelPackage/ipt-extra/description Other Netfilter (IPv4) kernel modules - Includes: - - ipt_limit - - ipt_owner - - ipt_physdev - - ipt_pkttype - - ipt_recent - - iptable_raw - - xt_NOTRACK - - xt_TARPIT - - xt_DELUDE - - xt_CHAOS + Includes: + - ipt_limit + - ipt_owner + - ipt_physdev + - ipt_pkttype + - ipt_recent + - iptable_raw + - xt_NOTRACK + - xt_TARPIT + - xt_DELUDE + - xt_CHAOS endef $(eval $(call KernelPackage,ipt-extra)) @@ -273,6 +273,7 @@ $(eval $(call KernelPackage,ipt-extra)) define KernelPackage/ip6tables SUBMENU:=$(NF_MENU) TITLE:=IPv6 modules + DEPENDS:=+kmod-ipv6 KCONFIG:=CONFIG_IP6_NF_IPTABLES FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX)) AUTOLOAD:=$(call AutoLoad,40,$(notdir $(IPT_IPV6-m))) diff --git a/target/linux/generic-2.4/patches/602-netfilter_layer7_2.17_with_pktmatch.patch b/target/linux/generic-2.4/patches/602-netfilter_layer7_2.17_with_pktmatch.patch new file mode 100644 index 0000000000..cfbca53315 --- /dev/null +++ b/target/linux/generic-2.4/patches/602-netfilter_layer7_2.17_with_pktmatch.patch @@ -0,0 +1,2095 @@ +Index: linux-2.4.35.4/Documentation/Configure.help +=================================================================== +--- linux-2.4.35.4.orig/Documentation/Configure.help 2007-12-15 05:19:54.063501941 +0100 ++++ linux-2.4.35.4/Documentation/Configure.help 2007-12-15 05:20:06.024183543 +0100 +@@ -29207,6 +29207,18 @@ + + If unsure, say N. + ++CONFIG_IP_NF_MATCH_LAYER7 ++ Say Y if you want to be able to classify connections (and their ++ packets) based on regular expression matching of their application ++ layer data. This is one way to classify applications such as ++ peer-to-peer filesharing systems that do not always use the same ++ port. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ ++CONFIG_IP_NF_MATCH_LAYER7_DEBUG ++ Say Y to get lots of debugging output. ++ + # + # A couple of things I keep forgetting: + # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet, +Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h +=================================================================== +--- linux-2.4.35.4.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:19:38.358606970 +0100 ++++ linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:20:06.024183543 +0100 +@@ -207,6 +207,17 @@ + } nat; + #endif /* CONFIG_IP_NF_NAT_NEEDED */ + ++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) ++ struct { ++ unsigned int numpackets; /* surely this is kept track of somewhere else, right? I can't find it... */ ++ char * app_proto; /* "http", "ftp", etc. NULL if unclassifed */ ++ ++ /* the application layer data so far. NULL if ->numpackets > numpackets */ ++ char * app_data; ++ ++ unsigned int app_data_len; ++ } layer7; ++#endif + }; + + /* get master conntrack via master expectation */ +Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h 2007-12-15 05:20:06.032183998 +0100 +@@ -0,0 +1,27 @@ ++/* ++ By Matthew Strait , Dec 2003. ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++*/ ++ ++#ifndef _IPT_LAYER7_H ++#define _IPT_LAYER7_H ++ ++#define MAX_PATTERN_LEN 8192 ++#define MAX_PROTOCOL_LEN 256 ++ ++typedef char *(*proc_ipt_search) (char *, char, char *); ++ ++struct ipt_layer7_info { ++ char protocol[MAX_PROTOCOL_LEN]; ++ char pattern[MAX_PATTERN_LEN]; ++ u_int8_t invert; ++ u_int8_t pkt; ++}; ++ ++#endif /* _IPT_LAYER7_H */ +Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in +=================================================================== +--- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in 2007-12-15 05:20:05.764168722 +0100 ++++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2007-12-15 05:20:06.036184227 +0100 +@@ -44,6 +44,9 @@ + if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then + dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES + dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES ++ dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK ++ dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7 ++ + fi + # The targets + dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES +Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile +=================================================================== +--- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile 2007-12-15 05:20:05.764168722 +0100 ++++ linux-2.4.35.4/net/ipv4/netfilter/Makefile 2007-12-15 05:20:06.036184227 +0100 +@@ -87,6 +87,7 @@ + obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o + obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o + obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o ++obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o + + # targets + obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o +Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c +=================================================================== +--- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:19:38.386608565 +0100 ++++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:20:06.036184227 +0100 +@@ -346,6 +346,14 @@ + } + kfree(ct->master); + } ++ ++ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) ++ if(ct->layer7.app_proto) ++ kfree(ct->layer7.app_proto); ++ if(ct->layer7.app_data) ++ kfree(ct->layer7.app_data); ++ #endif ++ + WRITE_UNLOCK(&ip_conntrack_lock); + + if (master) +Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c +=================================================================== +--- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:19:38.394609023 +0100 ++++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:20:06.036184227 +0100 +@@ -107,6 +107,13 @@ + len += sprintf(buffer + len, "[ASSURED] "); + len += sprintf(buffer + len, "use=%u ", + atomic_read(&conntrack->ct_general.use)); ++ ++ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) ++ if(conntrack->layer7.app_proto) ++ len += sprintf(buffer + len, "l7proto=%s ", ++ conntrack->layer7.app_proto); ++ #endif ++ + len += sprintf(buffer + len, "\n"); + + return len; +Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c 2007-12-15 05:20:06.040184453 +0100 +@@ -0,0 +1,595 @@ ++/* ++ Kernel module to match application layer (OSI layer 7) ++ data in connections. ++ ++ http://l7-filter.sf.net ++ ++ By Matthew Strait and Ethan Sommer, 2003-2005. ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++ ++ Based on ipt_string.c (C) 2000 Emmanuel Roger ++ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "regexp/regexp.c" ++ ++#include ++#include ++ ++MODULE_AUTHOR("Matthew Strait , Ethan Sommer "); ++MODULE_LICENSE("GPL"); ++MODULE_DESCRIPTION("iptables application layer match module"); ++ ++static int maxdatalen = 2048; // this is the default ++MODULE_PARM(maxdatalen,"i"); ++MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter"); ++ ++#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG) ++ #define DPRINTK(format,args...) printk(format,##args) ++#else ++ #define DPRINTK(format,args...) ++#endif ++ ++#define TOTAL_PACKETS master_conntrack->layer7.numpackets ++ ++/* Number of packets whose data we look at. ++This can be modified through /proc/net/layer7_numpackets */ ++static int num_packets = 10; ++ ++static struct pattern_cache { ++ char * regex_string; ++ regexp * pattern; ++ struct pattern_cache * next; ++} * first_pattern_cache = NULL; ++ ++/* I'm new to locking. Here are my assumptions: ++ ++- No one will write to /proc/net/layer7_numpackets over and over very fast; ++ if they did, nothing awful would happen. ++ ++- This code will never be processing the same packet twice at the same time, ++ because iptables rules are traversed in order. ++ ++- It doesn't matter if two packets from different connections are in here at ++ the same time, because they don't share any data. ++ ++- It _does_ matter if two packets from the same connection are here at the same ++ time. In this case, we have to protect the conntracks and the list of ++ compiled patterns. ++*/ ++DECLARE_RWLOCK(ct_lock); ++DECLARE_LOCK(list_lock); ++ ++#if CONFIG_IP_NF_MATCH_LAYER7_DEBUG ++/* Converts an unfriendly string into a friendly one by ++replacing unprintables with periods and all whitespace with " ". */ ++static char * friendly_print(unsigned char * s) ++{ ++ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC); ++ int i; ++ ++ if(!f) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n"); ++ return NULL; ++ } ++ ++ for(i = 0; i < strlen(s); i++){ ++ if(isprint(s[i]) && s[i] < 128) f[i] = s[i]; ++ else if(isspace(s[i])) f[i] = ' '; ++ else f[i] = '.'; ++ } ++ f[i] = '\0'; ++ return f; ++} ++ ++static char dec2hex(int i) ++{ ++ switch (i) { ++ case 0 ... 9: ++ return (char)(i + '0'); ++ break; ++ case 10 ... 15: ++ return (char)(i - 10 + 'a'); ++ break; ++ default: ++ if (net_ratelimit()) ++ printk("Problem in dec2hex\n"); ++ return '\0'; ++ } ++} ++ ++static char * hex_print(unsigned char * s) ++{ ++ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC); ++ int i; ++ ++ if(!g) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n"); ++ return NULL; ++ } ++ ++ for(i = 0; i < strlen(s); i++) { ++ g[i*3 ] = dec2hex(s[i]/16); ++ g[i*3 + 1] = dec2hex(s[i]%16); ++ g[i*3 + 2] = ' '; ++ } ++ g[i*3] = '\0'; ++ ++ return g; ++} ++#endif // DEBUG ++ ++/* Use instead of regcomp. As we expect to be seeing the same regexps over and ++over again, it make sense to cache the results. */ ++static regexp * compile_and_cache(char * regex_string, char * protocol) ++{ ++ struct pattern_cache * node = first_pattern_cache; ++ struct pattern_cache * last_pattern_cache = first_pattern_cache; ++ struct pattern_cache * tmp; ++ unsigned int len; ++ ++ while (node != NULL) { ++ if (!strcmp(node->regex_string, regex_string)) ++ return node->pattern; ++ ++ last_pattern_cache = node;/* points at the last non-NULL node */ ++ node = node->next; ++ } ++ ++ /* If we reach the end of the list, then we have not yet cached ++ the pattern for this regex. Let's do that now. ++ Be paranoid about running out of memory to avoid list corruption. */ ++ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC); ++ ++ if(!tmp) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); ++ return NULL; ++ } ++ ++ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC); ++ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC); ++ tmp->next = NULL; ++ ++ if(!tmp->regex_string || !tmp->pattern) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); ++ kfree(tmp->regex_string); ++ kfree(tmp->pattern); ++ kfree(tmp); ++ return NULL; ++ } ++ ++ /* Ok. The new node is all ready now. */ ++ node = tmp; ++ ++ if(first_pattern_cache == NULL) /* list is empty */ ++ first_pattern_cache = node; /* make node the beginning */ ++ else ++ last_pattern_cache->next = node; /* attach node to the end */ ++ ++ /* copy the string and compile the regex */ ++ len = strlen(regex_string); ++ DPRINTK("About to compile this: \"%s\"\n", regex_string); ++ node->pattern = regcomp(regex_string, &len); ++ if ( !node->pattern ) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol); ++ /* pattern is now cached as NULL, so we won't try again. */ ++ } ++ ++ strcpy(node->regex_string, regex_string); ++ return node->pattern; ++} ++ ++static int can_handle(const struct sk_buff *skb) ++{ ++ if(!skb->nh.iph) /* not IP */ ++ return 0; ++ if(skb->nh.iph->protocol != IPPROTO_TCP && ++ skb->nh.iph->protocol != IPPROTO_UDP && ++ skb->nh.iph->protocol != IPPROTO_ICMP) ++ return 0; ++ return 1; ++} ++ ++/* Returns offset the into the skb->data that the application data starts */ ++static int app_data_offset(const struct sk_buff *skb) ++{ ++ /* In case we are ported somewhere (ebtables?) where skb->nh.iph ++ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */ ++ int ip_hl = 4*skb->nh.iph->ihl; ++ ++ if( skb->nh.iph->protocol == IPPROTO_TCP ) { ++ /* 12 == offset into TCP header for the header length field. ++ Can't get this with skb->h.th->doff because the tcphdr ++ struct doesn't get set when routing (this is confirmed to be ++ true in Netfilter as well as QoS.) */ ++ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4); ++ ++ return ip_hl + tcp_hl; ++ } else if( skb->nh.iph->protocol == IPPROTO_UDP ) { ++ return ip_hl + 8; /* UDP header is always 8 bytes */ ++ } else if( skb->nh.iph->protocol == IPPROTO_ICMP ) { ++ return ip_hl + 8; /* ICMP header is 8 bytes */ ++ } else { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n"); ++ return ip_hl + 8; /* something reasonable */ ++ } ++} ++ ++/* handles whether there's a match when we aren't appending data anymore */ ++static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack, ++ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo, ++ struct ipt_layer7_info * info) ++{ ++ /* If we're in here, throw the app data away */ ++ WRITE_LOCK(&ct_lock); ++ if(master_conntrack->layer7.app_data != NULL) { ++ ++ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG ++ if(!master_conntrack->layer7.app_proto) { ++ char * f = friendly_print(master_conntrack->layer7.app_data); ++ char * g = hex_print(master_conntrack->layer7.app_data); ++ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n", ++ strlen(f), ++ TOTAL_PACKETS, f); ++ kfree(f); ++ DPRINTK("In hex: %s\n", g); ++ kfree(g); ++ } ++ #endif ++ ++ kfree(master_conntrack->layer7.app_data); ++ master_conntrack->layer7.app_data = NULL; /* don't free again */ ++ } ++ WRITE_UNLOCK(&ct_lock); ++ ++ if(master_conntrack->layer7.app_proto){ ++ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */ ++ WRITE_LOCK(&ct_lock); ++ if(!conntrack->layer7.app_proto) { ++ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC); ++ if(!conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); ++ WRITE_UNLOCK(&ct_lock); ++ return 1; ++ } ++ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto); ++ } ++ WRITE_UNLOCK(&ct_lock); ++ ++ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol)); ++ } ++ else { ++ /* If not classified, set to "unknown" to distinguish from ++ connections that are still being tested. */ ++ WRITE_LOCK(&ct_lock); ++ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); ++ WRITE_UNLOCK(&ct_lock); ++ return 1; ++ } ++ strcpy(master_conntrack->layer7.app_proto, "unknown"); ++ WRITE_UNLOCK(&ct_lock); ++ return 0; ++ } ++} ++ ++static int add_datastr(char *target, int offset, char *app_data, int len) ++{ ++ int length = 0, i; ++ ++ /* Strip nulls. Make everything lower case (our regex lib doesn't ++ do case insensitivity). Add it to the end of the current data. */ ++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) { ++ if(app_data[i] != '\0') { ++ target[length+offset] = ++ /* the kernel version of tolower mungs 'upper ascii' */ ++ isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; ++ length++; ++ } ++ } ++ ++ target[length+offset] = '\0'; ++ ++ return length; ++} ++ ++/* add the new app data to the conntrack. Return number of bytes added. */ ++static int add_data(struct ip_conntrack * master_conntrack, ++ char * app_data, int appdatalen) ++{ ++ int length; ++ ++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen); ++ master_conntrack->layer7.app_data_len += length; ++ ++ return length; ++} ++ ++/* Returns true on match and false otherwise. */ ++static int match(/* const */struct sk_buff *skb, const struct net_device *in, ++ const struct net_device *out, const void *matchinfo, ++ int offset, int *hotdrop) ++{ ++ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; ++ enum ip_conntrack_info master_ctinfo, ctinfo; ++ struct ip_conntrack *master_conntrack, *conntrack; ++ unsigned char *app_data, *tmp_data; ++ unsigned int pattern_result, appdatalen; ++ regexp * comppattern; ++ ++ if(!can_handle(skb)){ ++ DPRINTK("layer7: This is some protocol I can't handle.\n"); ++ return info->invert; ++ } ++ ++ /* Treat the parent and all its children together as one connection, ++ except for the purpose of setting conntrack->layer7.app_proto in the ++ actual connection. This makes /proc/net/ip_conntrack somewhat more ++ satisfying. */ ++ if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) || ++ !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) { ++ DPRINTK("layer7: packet is not from a known connection, giving up.\n"); ++ return info->invert; ++ } ++ ++ /* Try to get a master conntrack (and its master etc) for FTP, etc. */ ++ while (master_ct(master_conntrack) != NULL) ++ master_conntrack = master_ct(master_conntrack); ++ ++ if(!skb->cb[0]){ ++ WRITE_LOCK(&ct_lock); ++ master_conntrack->layer7.numpackets++;/*starts at 0 via memset*/ ++ WRITE_UNLOCK(&ct_lock); ++ } ++ ++ /* if we've classified it or seen too many packets */ ++ if(!info->pkt && (TOTAL_PACKETS > num_packets || ++ master_conntrack->layer7.app_proto)) { ++ ++ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); ++ ++ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7 ++ rules. I'm not sure that using cb for this purpose is correct, although ++ it says "put your private variables there". But it doesn't look like it ++ is being used for anything else in the skbs that make it here. How can ++ I write to cb without making the compiler angry? */ ++ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */ ++ ++ return (pattern_result ^ info->invert); ++ } ++ ++ if(skb_is_nonlinear(skb)){ ++ if(skb_linearize(skb, GFP_ATOMIC) != 0){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n"); ++ return info->invert; ++ } ++ } ++ ++ /* now that the skb is linearized, it's safe to set these. */ ++ app_data = skb->data + app_data_offset(skb); ++ appdatalen = skb->tail - app_data; ++ ++ LOCK_BH(&list_lock); ++ /* the return value gets checked later, when we're ready to use it */ ++ comppattern = compile_and_cache(info->pattern, info->protocol); ++ UNLOCK_BH(&list_lock); ++ ++ if (info->pkt) { ++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC); ++ if(!tmp_data){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); ++ return info->invert; ++ } ++ ++ tmp_data[0] = '\0'; ++ add_datastr(tmp_data, 0, app_data, appdatalen); ++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0); ++ kfree(tmp_data); ++ tmp_data = NULL; ++ ++ return (pattern_result ^ info->invert); ++ } ++ ++ /* On the first packet of a connection, allocate space for app data */ ++ WRITE_LOCK(&ct_lock); ++ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { ++ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_data){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); ++ WRITE_UNLOCK(&ct_lock); ++ return info->invert; ++ } ++ ++ master_conntrack->layer7.app_data[0] = '\0'; ++ } ++ WRITE_UNLOCK(&ct_lock); ++ ++ /* Can be here, but unallocated, if numpackets is increased near ++ the beginning of a connection */ ++ if(master_conntrack->layer7.app_data == NULL) ++ return (info->invert); /* unmatched */ ++ ++ if(!skb->cb[0]){ ++ int newbytes; ++ WRITE_LOCK(&ct_lock); ++ newbytes = add_data(master_conntrack, app_data, appdatalen); ++ WRITE_UNLOCK(&ct_lock); ++ ++ if(newbytes == 0) { /* didn't add any data */ ++ skb->cb[0] = 1; ++ /* Didn't match before, not going to match now */ ++ return info->invert; ++ } ++ } ++ ++ /* If looking for "unknown", then never match. "Unknown" means that ++ we've given up; we're still trying with these packets. */ ++ if(!strcmp(info->protocol, "unknown")) { ++ pattern_result = 0; ++ /* If the regexp failed to compile, don't bother running it */ ++ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) { ++ DPRINTK("layer7: regexec positive: %s!\n", info->protocol); ++ pattern_result = 1; ++ } else pattern_result = 0; ++ ++ if(pattern_result) { ++ WRITE_LOCK(&ct_lock); ++ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); ++ WRITE_UNLOCK(&ct_lock); ++ return (pattern_result ^ info->invert); ++ } ++ strcpy(master_conntrack->layer7.app_proto, info->protocol); ++ WRITE_UNLOCK(&ct_lock); ++ } ++ ++ /* mark the packet seen */ ++ skb->cb[0] = 1; ++ ++ return (pattern_result ^ info->invert); ++} ++ ++static int checkentry(const char *tablename, const struct ipt_ip *ip, ++ void *matchinfo, unsigned int matchsize, unsigned int hook_mask) ++{ ++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_layer7_info))) ++ return 0; ++ return 1; ++} ++ ++static struct ipt_match layer7_match = { ++ .name = "layer7", ++ .match = &match, ++ .checkentry = &checkentry, ++ .me = THIS_MODULE ++}; ++ ++/* taken from drivers/video/modedb.c */ ++static int my_atoi(const char *s) ++{ ++ int val = 0; ++ ++ for (;; s++) { ++ switch (*s) { ++ case '0'...'9': ++ val = 10*val+(*s-'0'); ++ break; ++ default: ++ return val; ++ } ++ } ++} ++ ++/* write out num_packets to userland. */ ++static int layer7_read_proc(char* page, char ** start, off_t off, int count, ++ int* eof, void * data) ++{ ++ if(num_packets > 99 && net_ratelimit()) ++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n"); ++ ++ page[0] = num_packets/10 + '0'; ++ page[1] = num_packets%10 + '0'; ++ page[2] = '\n'; ++ page[3] = '\0'; ++ ++ *eof=1; ++ ++ return 3; ++} ++ ++/* Read in num_packets from userland */ ++static int layer7_write_proc(struct file* file, const char* buffer, ++ unsigned long count, void *data) ++{ ++ char * foo = kmalloc(count, GFP_ATOMIC); ++ ++ if(!foo){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n"); ++ return count; ++ } ++ ++ copy_from_user(foo, buffer, count); ++ ++ num_packets = my_atoi(foo); ++ kfree (foo); ++ ++ /* This has an arbitrary limit to make the math easier. I'm lazy. ++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */ ++ if(num_packets > 99) { ++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n"); ++ num_packets = 99; ++ } else if(num_packets < 1) { ++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n"); ++ num_packets = 1; ++ } ++ ++ return count; ++} ++ ++/* register the proc file */ ++static void layer7_init_proc(void) ++{ ++ struct proc_dir_entry* entry; ++ entry = create_proc_entry("layer7_numpackets", 0644, proc_net); ++ entry->read_proc = layer7_read_proc; ++ entry->write_proc = layer7_write_proc; ++} ++ ++static void layer7_cleanup_proc(void) ++{ ++ remove_proc_entry("layer7_numpackets", proc_net); ++} ++ ++static int __init init(void) ++{ ++ layer7_init_proc(); ++ if(maxdatalen < 1) { ++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n"); ++ maxdatalen = 1; ++ } ++ /* This is not a hard limit. It's just here to prevent people from ++ bringing their slow machines to a grinding halt. */ ++ else if(maxdatalen > 65536) { ++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n"); ++ maxdatalen = 65536; ++ } ++ return ipt_register_match(&layer7_match); ++} ++ ++static void __exit fini(void) ++{ ++ layer7_cleanup_proc(); ++ ipt_unregister_match(&layer7_match); ++} ++ ++module_init(init); ++module_exit(fini); +Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c 2007-12-15 05:20:06.040184453 +0100 +@@ -0,0 +1,1195 @@ ++/* ++ * regcomp and regexec -- regsub and regerror are elsewhere ++ * @(#)regexp.c 1.3 of 18 April 87 ++ * ++ * Copyright (c) 1986 by University of Toronto. ++ * Written by Henry Spencer. Not derived from licensed software. ++ * ++ * Permission is granted to anyone to use this software for any ++ * purpose on any computer system, and to redistribute it freely, ++ * subject to the following restrictions: ++ * ++ * 1. The author is not responsible for the consequences of use of ++ * this software, no matter how awful, even if they arise ++ * from defects in it. ++ * ++ * 2. The origin of this software must not be misrepresented, either ++ * by explicit claim or by omission. ++ * ++ * 3. Altered versions must be plainly marked as such, and must not ++ * be misrepresented as being the original software. ++ * ++ * Beware that some of this code is subtly aware of the way operator ++ * precedence is structured in regular expressions. Serious changes in ++ * regular-expression syntax might require a total rethink. ++ * ++ * This code was modified by Ethan Sommer to work within the kernel ++ * (it now uses kmalloc etc..) ++ * ++ * Modified slightly by Matthew Strait to use more modern C. ++ */ ++ ++#include "regexp.h" ++#include "regmagic.h" ++ ++/* added by ethan and matt. Lets it work in both kernel and user space. ++(So iptables can use it, for instance.) Yea, it goes both ways... */ ++#if __KERNEL__ ++ #define malloc(foo) kmalloc(foo,GFP_ATOMIC) ++#else ++ #define printk(format,args...) printf(format,##args) ++#endif ++ ++void regerror(char * s) ++{ ++ printk("<3>Regexp: %s\n", s); ++ /* NOTREACHED */ ++} ++ ++/* ++ * The "internal use only" fields in regexp.h are present to pass info from ++ * compile to execute that permits the execute phase to run lots faster on ++ * simple cases. They are: ++ * ++ * regstart char that must begin a match; '\0' if none obvious ++ * reganch is the match anchored (at beginning-of-line only)? ++ * regmust string (pointer into program) that match must include, or NULL ++ * regmlen length of regmust string ++ * ++ * Regstart and reganch permit very fast decisions on suitable starting points ++ * for a match, cutting down the work a lot. Regmust permits fast rejection ++ * of lines that cannot possibly match. The regmust tests are costly enough ++ * that regcomp() supplies a regmust only if the r.e. contains something ++ * potentially expensive (at present, the only such thing detected is * or + ++ * at the start of the r.e., which can involve a lot of backup). Regmlen is ++ * supplied because the test in regexec() needs it and regcomp() is computing ++ * it anyway. ++ */ ++ ++/* ++ * Structure for regexp "program". This is essentially a linear encoding ++ * of a nondeterministic finite-state machine (aka syntax charts or ++ * "railroad normal form" in parsing technology). Each node is an opcode ++ * plus a "next" pointer, possibly plus an operand. "Next" pointers of ++ * all nodes except BRANCH implement concatenation; a "next" pointer with ++ * a BRANCH on both ends of it is connecting two alternatives. (Here we ++ * have one of the subtle syntax dependencies: an individual BRANCH (as ++ * opposed to a collection of them) is never concatenated with anything ++ * because of operator precedence.) The operand of some types of node is ++ * a literal string; for others, it is a node leading into a sub-FSM. In ++ * particular, the operand of a BRANCH node is the first node of the branch. ++ * (NB this is *not* a tree structure: the tail of the branch connects ++ * to the thing following the set of BRANCHes.) The opcodes are: ++ */ ++ ++/* definition number opnd? meaning */ ++#define END 0 /* no End of program. */ ++#define BOL 1 /* no Match "" at beginning of line. */ ++#define EOL 2 /* no Match "" at end of line. */ ++#define ANY 3 /* no Match any one character. */ ++#define ANYOF 4 /* str Match any character in this string. */ ++#define ANYBUT 5 /* str Match any character not in this string. */ ++#define BRANCH 6 /* node Match this alternative, or the next... */ ++#define BACK 7 /* no Match "", "next" ptr points backward. */ ++#define EXACTLY 8 /* str Match this string. */ ++#define NOTHING 9 /* no Match empty string. */ ++#define STAR 10 /* node Match this (simple) thing 0 or more times. */ ++#define PLUS 11 /* node Match this (simple) thing 1 or more times. */ ++#define OPEN 20 /* no Mark this point in input as start of #n. */ ++ /* OPEN+1 is number 1, etc. */ ++#define CLOSE 30 /* no Analogous to OPEN. */ ++ ++/* ++ * Opcode notes: ++ * ++ * BRANCH The set of branches constituting a single choice are hooked ++ * together with their "next" pointers, since precedence prevents ++ * anything being concatenated to any individual branch. The ++ * "next" pointer of the last BRANCH in a choice points to the ++ * thing following the whole choice. This is also where the ++ * final "next" pointer of each individual branch points; each ++ * branch starts with the operand node of a BRANCH node. ++ * ++ * BACK Normal "next" pointers all implicitly point forward; BACK ++ * exists to make loop structures possible. ++ * ++ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular ++ * BRANCH structures using BACK. Simple cases (one character ++ * per match) are implemented with STAR and PLUS for speed ++ * and to minimize recursive plunges. ++ * ++ * OPEN,CLOSE ...are numbered at compile time. ++ */ ++ ++/* ++ * A node is one char of opcode followed by two chars of "next" pointer. ++ * "Next" pointers are stored as two 8-bit pieces, high order first. The ++ * value is a positive offset from the opcode of the node containing it. ++ * An operand, if any, simply follows the node. (Note that much of the ++ * code generation knows about this implicit relationship.) ++ * ++ * Using two bytes for the "next" pointer is vast overkill for most things, ++ * but allows patterns to get big without disasters. ++ */ ++#define OP(p) (*(p)) ++#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377)) ++#define OPERAND(p) ((p) + 3) ++ ++/* ++ * See regmagic.h for one further detail of program structure. ++ */ ++ ++ ++/* ++ * Utility definitions. ++ */ ++#ifndef CHARBITS ++#define UCHARAT(p) ((int)*(unsigned char *)(p)) ++#else ++#define UCHARAT(p) ((int)*(p)&CHARBITS) ++#endif ++ ++#define FAIL(m) { regerror(m); return(NULL); } ++#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?') ++#define META "^$.[()|?+*\\" ++ ++/* ++ * Flags to be passed up and down. ++ */ ++#define HASWIDTH 01 /* Known never to match null string. */ ++#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */ ++#define SPSTART 04 /* Starts with * or +. */ ++#define WORST 0 /* Worst case. */ ++ ++/* ++ * Global work variables for regcomp(). ++ */ ++static char *regparse; /* Input-scan pointer. */ ++static int regnpar; /* () count. */ ++static char regdummy; ++static char *regcode; /* Code-emit pointer; ®dummy = don't. */ ++static long regsize; /* Code size. */ ++ ++/* ++ * Forward declarations for regcomp()'s friends. ++ */ ++#ifndef STATIC ++#define STATIC static ++#endif ++STATIC char *reg(int paren,int *flagp); ++STATIC char *regbranch(int *flagp); ++STATIC char *regpiece(int *flagp); ++STATIC char *regatom(int *flagp); ++STATIC char *regnode(char op); ++STATIC char *regnext(char *p); ++STATIC void regc(char b); ++STATIC void reginsert(char op, char *opnd); ++STATIC void regtail(char *p, char *val); ++STATIC void regoptail(char *p, char *val); ++ ++ ++__kernel_size_t my_strcspn(const char *s1,const char *s2) ++{ ++ char *scan1; ++ char *scan2; ++ int count; ++ ++ count = 0; ++ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) { ++ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */ ++ if (*scan1 == *scan2++) ++ return(count); ++ count++; ++ } ++ return(count); ++} ++ ++/* ++ - regcomp - compile a regular expression into internal code ++ * ++ * We can't allocate space until we know how big the compiled form will be, ++ * but we can't compile it (and thus know how big it is) until we've got a ++ * place to put the code. So we cheat: we compile it twice, once with code ++ * generation turned off and size counting turned on, and once "for real". ++ * This also means that we don't allocate space until we are sure that the ++ * thing really will compile successfully, and we never have to move the ++ * code and thus invalidate pointers into it. (Note that it has to be in ++ * one piece because free() must be able to free it all.) ++ * ++ * Beware that the optimization-preparation code in here knows about some ++ * of the structure of the compiled regexp. ++ */ ++regexp * ++regcomp(char *exp,int *patternsize) ++{ ++ register regexp *r; ++ register char *scan; ++ register char *longest; ++ register int len; ++ int flags; ++ /* commented out by ethan ++ extern char *malloc(); ++ */ ++ ++ if (exp == NULL) ++ FAIL("NULL argument"); ++ ++ /* First pass: determine size, legality. */ ++ regparse = exp; ++ regnpar = 1; ++ regsize = 0L; ++ regcode = ®dummy; ++ regc(MAGIC); ++ if (reg(0, &flags) == NULL) ++ return(NULL); ++ ++ /* Small enough for pointer-storage convention? */ ++ if (regsize >= 32767L) /* Probably could be 65535L. */ ++ FAIL("regexp too big"); ++ ++ /* Allocate space. */ ++ *patternsize=sizeof(regexp) + (unsigned)regsize; ++ r = (regexp *)malloc(sizeof(regexp) + (unsigned)regsize); ++ if (r == NULL) ++ FAIL("out of space"); ++ ++ /* Second pass: emit code. */ ++ regparse = exp; ++ regnpar = 1; ++ regcode = r->program; ++ regc(MAGIC); ++ if (reg(0, &flags) == NULL) ++ return(NULL); ++ ++ /* Dig out information for optimizations. */ ++ r->regstart = '\0'; /* Worst-case defaults. */ ++ r->reganch = 0; ++ r->regmust = NULL; ++ r->regmlen = 0; ++ scan = r->program+1; /* First BRANCH. */ ++ if (OP(regnext(scan)) == END) { /* Only one top-level choice. */ ++ scan = OPERAND(scan); ++ ++ /* Starting-point info. */ ++ if (OP(scan) == EXACTLY) ++ r->regstart = *OPERAND(scan); ++ else if (OP(scan) == BOL) ++ r->reganch++; ++ ++ /* ++ * If there's something expensive in the r.e., find the ++ * longest literal string that must appear and make it the ++ * regmust. Resolve ties in favor of later strings, since ++ * the regstart check works with the beginning of the r.e. ++ * and avoiding duplication strengthens checking. Not a ++ * strong reason, but sufficient in the absence of others. ++ */ ++ if (flags&SPSTART) { ++ longest = NULL; ++ len = 0; ++ for (; scan != NULL; scan = regnext(scan)) ++ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) { ++ longest = OPERAND(scan); ++ len = strlen(OPERAND(scan)); ++ } ++ r->regmust = longest; ++ r->regmlen = len; ++ } ++ } ++ ++ return(r); ++} ++ ++/* ++ - reg - regular expression, i.e. main body or parenthesized thing ++ * ++ * Caller must absorb opening parenthesis. ++ * ++ * Combining parenthesis handling with the base level of regular expression ++ * is a trifle forced, but the need to tie the tails of the branches to what ++ * follows makes it hard to avoid. ++ */ ++static char * ++reg(int paren, int *flagp /* Parenthesized? */ ) ++{ ++ register char *ret; ++ register char *br; ++ register char *ender; ++ register int parno = 0; /* 0 makes gcc happy */ ++ int flags; ++ ++ *flagp = HASWIDTH; /* Tentatively. */ ++ ++ /* Make an OPEN node, if parenthesized. */ ++ if (paren) { ++ if (regnpar >= NSUBEXP) ++ FAIL("too many ()"); ++ parno = regnpar; ++ regnpar++; ++ ret = regnode(OPEN+parno); ++ } else ++ ret = NULL; ++ ++ /* Pick up the branches, linking them together. */ ++ br = regbranch(&flags); ++ if (br == NULL) ++ return(NULL); ++ if (ret != NULL) ++ regtail(ret, br); /* OPEN -> first. */ ++ else ++ ret = br; ++ if (!(flags&HASWIDTH)) ++ *flagp &= ~HASWIDTH; ++ *flagp |= flags&SPSTART; ++ while (*regparse == '|') { ++ regparse++; ++ br = regbranch(&flags); ++ if (br == NULL) ++ return(NULL); ++ regtail(ret, br); /* BRANCH -> BRANCH. */ ++ if (!(flags&HASWIDTH)) ++ *flagp &= ~HASWIDTH; ++ *flagp |= flags&SPSTART; ++ } ++ ++ /* Make a closing node, and hook it on the end. */ ++ ender = regnode((paren) ? CLOSE+parno : END); ++ regtail(ret, ender); ++ ++ /* Hook the tails of the branches to the closing node. */ ++ for (br = ret; br != NULL; br = regnext(br)) ++ regoptail(br, ender); ++ ++ /* Check for proper termination. */ ++ if (paren && *regparse++ != ')') { ++ FAIL("unmatched ()"); ++ } else if (!paren && *regparse != '\0') { ++ if (*regparse == ')') { ++ FAIL("unmatched ()"); ++ } else ++ FAIL("junk on end"); /* "Can't happen". */ ++ /* NOTREACHED */ ++ } ++ ++ return(ret); ++} ++ ++/* ++ - regbranch - one alternative of an | operator ++ * ++ * Implements the concatenation operator. ++ */ ++static char * ++regbranch(int *flagp) ++{ ++ register char *ret; ++ register char *chain; ++ register char *latest; ++ int flags; ++ ++ *flagp = WORST; /* Tentatively. */ ++ ++ ret = regnode(BRANCH); ++ chain = NULL; ++ while (*regparse != '\0' && *regparse != '|' && *regparse != ')') { ++ latest = regpiece(&flags); ++ if (latest == NULL) ++ return(NULL); ++ *flagp |= flags&HASWIDTH; ++ if (chain == NULL) /* First piece. */ ++ *flagp |= flags&SPSTART; ++ else ++ regtail(chain, latest); ++ chain = latest; ++ } ++ if (chain == NULL) /* Loop ran zero times. */ ++ (void) regnode(NOTHING); ++ ++ return(ret); ++} ++ ++/* ++ - regpiece - something followed by possible [*+?] ++ * ++ * Note that the branching code sequences used for ? and the general cases ++ * of * and + are somewhat optimized: they use the same NOTHING node as ++ * both the endmarker for their branch list and the body of the last branch. ++ * It might seem that this node could be dispensed with entirely, but the ++ * endmarker role is not redundant. ++ */ ++static char * ++regpiece(int *flagp) ++{ ++ register char *ret; ++ register char op; ++ register char *next; ++ int flags; ++ ++ ret = regatom(&flags); ++ if (ret == NULL) ++ return(NULL); ++ ++ op = *regparse; ++ if (!ISMULT(op)) { ++ *flagp = flags; ++ return(ret); ++ } ++ ++ if (!(flags&HASWIDTH) && op != '?') ++ FAIL("*+ operand could be empty"); ++ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH); ++ ++ if (op == '*' && (flags&SIMPLE)) ++ reginsert(STAR, ret); ++ else if (op == '*') { ++ /* Emit x* as (x&|), where & means "self". */ ++ reginsert(BRANCH, ret); /* Either x */ ++ regoptail(ret, regnode(BACK)); /* and loop */ ++ regoptail(ret, ret); /* back */ ++ regtail(ret, regnode(BRANCH)); /* or */ ++ regtail(ret, regnode(NOTHING)); /* null. */ ++ } else if (op == '+' && (flags&SIMPLE)) ++ reginsert(PLUS, ret); ++ else if (op == '+') { ++ /* Emit x+ as x(&|), where & means "self". */ ++ next = regnode(BRANCH); /* Either */ ++ regtail(ret, next); ++ regtail(regnode(BACK), ret); /* loop back */ ++ regtail(next, regnode(BRANCH)); /* or */ ++ regtail(ret, regnode(NOTHING)); /* null. */ ++ } else if (op == '?') { ++ /* Emit x? as (x|) */ ++ reginsert(BRANCH, ret); /* Either x */ ++ regtail(ret, regnode(BRANCH)); /* or */ ++ next = regnode(NOTHING); /* null. */ ++ regtail(ret, next); ++ regoptail(ret, next); ++ } ++ regparse++; ++ if (ISMULT(*regparse)) ++ FAIL("nested *?+"); ++ ++ return(ret); ++} ++ ++/* ++ - regatom - the lowest level ++ * ++ * Optimization: gobbles an entire sequence of ordinary characters so that ++ * it can turn them into a single node, which is smaller to store and ++ * faster to run. Backslashed characters are exceptions, each becoming a ++ * separate node; the code is simpler that way and it's not worth fixing. ++ */ ++static char * ++regatom(int *flagp) ++{ ++ register char *ret; ++ int flags; ++ ++ *flagp = WORST; /* Tentatively. */ ++ ++ switch (*regparse++) { ++ case '^': ++ ret = regnode(BOL); ++ break; ++ case '$': ++ ret = regnode(EOL); ++ break; ++ case '.': ++ ret = regnode(ANY); ++ *flagp |= HASWIDTH|SIMPLE; ++ break; ++ case '[': { ++ register int class; ++ register int classend; ++ ++ if (*regparse == '^') { /* Complement of range. */ ++ ret = regnode(ANYBUT); ++ regparse++; ++ } else ++ ret = regnode(ANYOF); ++ if (*regparse == ']' || *regparse == '-') ++ regc(*regparse++); ++ while (*regparse != '\0' && *regparse != ']') { ++ if (*regparse == '-') { ++ regparse++; ++ if (*regparse == ']' || *regparse == '\0') ++ regc('-'); ++ else { ++ class = UCHARAT(regparse-2)+1; ++ classend = UCHARAT(regparse); ++ if (class > classend+1) ++ FAIL("invalid [] range"); ++ for (; class <= classend; class++) ++ regc(class); ++ regparse++; ++ } ++ } else ++ regc(*regparse++); ++ } ++ regc('\0'); ++ if (*regparse != ']') ++ FAIL("unmatched []"); ++ regparse++; ++ *flagp |= HASWIDTH|SIMPLE; ++ } ++ break; ++ case '(': ++ ret = reg(1, &flags); ++ if (ret == NULL) ++ return(NULL); ++ *flagp |= flags&(HASWIDTH|SPSTART); ++ break; ++ case '\0': ++ case '|': ++ case ')': ++ FAIL("internal urp"); /* Supposed to be caught earlier. */ ++ break; ++ case '?': ++ case '+': ++ case '*': ++ FAIL("?+* follows nothing"); ++ break; ++ case '\\': ++ if (*regparse == '\0') ++ FAIL("trailing \\"); ++ ret = regnode(EXACTLY); ++ regc(*regparse++); ++ regc('\0'); ++ *flagp |= HASWIDTH|SIMPLE; ++ break; ++ default: { ++ register int len; ++ register char ender; ++ ++ regparse--; ++ len = my_strcspn((const char *)regparse, (const char *)META); ++ if (len <= 0) ++ FAIL("internal disaster"); ++ ender = *(regparse+len); ++ if (len > 1 && ISMULT(ender)) ++ len--; /* Back off clear of ?+* operand. */ ++ *flagp |= HASWIDTH; ++ if (len == 1) ++ *flagp |= SIMPLE; ++ ret = regnode(EXACTLY); ++ while (len > 0) { ++ regc(*regparse++); ++ len--; ++ } ++ regc('\0'); ++ } ++ break; ++ } ++ ++ return(ret); ++} ++ ++/* ++ - regnode - emit a node ++ */ ++static char * /* Location. */ ++regnode(char op) ++{ ++ register char *ret; ++ register char *ptr; ++ ++ ret = regcode; ++ if (ret == ®dummy) { ++ regsize += 3; ++ return(ret); ++ } ++ ++ ptr = ret; ++ *ptr++ = op; ++ *ptr++ = '\0'; /* Null "next" pointer. */ ++ *ptr++ = '\0'; ++ regcode = ptr; ++ ++ return(ret); ++} ++ ++/* ++ - regc - emit (if appropriate) a byte of code ++ */ ++static void ++regc(char b) ++{ ++ if (regcode != ®dummy) ++ *regcode++ = b; ++ else ++ regsize++; ++} ++ ++/* ++ - reginsert - insert an operator in front of already-emitted operand ++ * ++ * Means relocating the operand. ++ */ ++static void ++reginsert(char op, char* opnd) ++{ ++ register char *src; ++ register char *dst; ++ register char *place; ++ ++ if (regcode == ®dummy) { ++ regsize += 3; ++ return; ++ } ++ ++ src = regcode; ++ regcode += 3; ++ dst = regcode; ++ while (src > opnd) ++ *--dst = *--src; ++ ++ place = opnd; /* Op node, where operand used to be. */ ++ *place++ = op; ++ *place++ = '\0'; ++ *place++ = '\0'; ++} ++ ++/* ++ - regtail - set the next-pointer at the end of a node chain ++ */ ++static void ++regtail(char *p, char *val) ++{ ++ register char *scan; ++ register char *temp; ++ register int offset; ++ ++ if (p == ®dummy) ++ return; ++ ++ /* Find last node. */ ++ scan = p; ++ for (;;) { ++ temp = regnext(scan); ++ if (temp == NULL) ++ break; ++ scan = temp; ++ } ++ ++ if (OP(scan) == BACK) ++ offset = scan - val; ++ else ++ offset = val - scan; ++ *(scan+1) = (offset>>8)&0377; ++ *(scan+2) = offset&0377; ++} ++ ++/* ++ - regoptail - regtail on operand of first argument; nop if operandless ++ */ ++static void ++regoptail(char *p, char *val) ++{ ++ /* "Operandless" and "op != BRANCH" are synonymous in practice. */ ++ if (p == NULL || p == ®dummy || OP(p) != BRANCH) ++ return; ++ regtail(OPERAND(p), val); ++} ++ ++/* ++ * regexec and friends ++ */ ++ ++/* ++ * Global work variables for regexec(). ++ */ ++static char *reginput; /* String-input pointer. */ ++static char *regbol; /* Beginning of input, for ^ check. */ ++static char **regstartp; /* Pointer to startp array. */ ++static char **regendp; /* Ditto for endp. */ ++ ++/* ++ * Forwards. ++ */ ++STATIC int regtry(regexp *prog, char *string); ++STATIC int regmatch(char *prog); ++STATIC int regrepeat(char *p); ++ ++#ifdef DEBUG ++int regnarrate = 0; ++void regdump(); ++STATIC char *regprop(char *op); ++#endif ++ ++/* ++ - regexec - match a regexp against a string ++ */ ++int ++regexec(regexp *prog, char *string) ++{ ++ register char *s; ++ ++ /* Be paranoid... */ ++ if (prog == NULL || string == NULL) { ++ printk("<3>Regexp: NULL parameter\n"); ++ return(0); ++ } ++ ++ /* Check validity of program. */ ++ if (UCHARAT(prog->program) != MAGIC) { ++ printk("<3>Regexp: corrupted program\n"); ++ return(0); ++ } ++ ++ /* If there is a "must appear" string, look for it. */ ++ if (prog->regmust != NULL) { ++ s = string; ++ while ((s = strchr(s, prog->regmust[0])) != NULL) { ++ if (strncmp(s, prog->regmust, prog->regmlen) == 0) ++ break; /* Found it. */ ++ s++; ++ } ++ if (s == NULL) /* Not present. */ ++ return(0); ++ } ++ ++ /* Mark beginning of line for ^ . */ ++ regbol = string; ++ ++ /* Simplest case: anchored match need be tried only once. */ ++ if (prog->reganch) ++ return(regtry(prog, string)); ++ ++ /* Messy cases: unanchored match. */ ++ s = string; ++ if (prog->regstart != '\0') ++ /* We know what char it must start with. */ ++ while ((s = strchr(s, prog->regstart)) != NULL) { ++ if (regtry(prog, s)) ++ return(1); ++ s++; ++ } ++ else ++ /* We don't -- general case. */ ++ do { ++ if (regtry(prog, s)) ++ return(1); ++ } while (*s++ != '\0'); ++ ++ /* Failure. */ ++ return(0); ++} ++ ++/* ++ - regtry - try match at specific point ++ */ ++static int /* 0 failure, 1 success */ ++regtry(regexp *prog, char *string) ++{ ++ register int i; ++ register char **sp; ++ register char **ep; ++ ++ reginput = string; ++ regstartp = prog->startp; ++ regendp = prog->endp; ++ ++ sp = prog->startp; ++ ep = prog->endp; ++ for (i = NSUBEXP; i > 0; i--) { ++ *sp++ = NULL; ++ *ep++ = NULL; ++ } ++ if (regmatch(prog->program + 1)) { ++ prog->startp[0] = string; ++ prog->endp[0] = reginput; ++ return(1); ++ } else ++ return(0); ++} ++ ++/* ++ - regmatch - main matching routine ++ * ++ * Conceptually the strategy is simple: check to see whether the current ++ * node matches, call self recursively to see whether the rest matches, ++ * and then act accordingly. In practice we make some effort to avoid ++ * recursion, in particular by going through "ordinary" nodes (that don't ++ * need to know whether the rest of the match failed) by a loop instead of ++ * by recursion. ++ */ ++static int /* 0 failure, 1 success */ ++regmatch(char *prog) ++{ ++ register char *scan = prog; /* Current node. */ ++ char *next; /* Next node. */ ++ ++#ifdef DEBUG ++ if (scan != NULL && regnarrate) ++ fprintf(stderr, "%s(\n", regprop(scan)); ++#endif ++ while (scan != NULL) { ++#ifdef DEBUG ++ if (regnarrate) ++ fprintf(stderr, "%s...\n", regprop(scan)); ++#endif ++ next = regnext(scan); ++ ++ switch (OP(scan)) { ++ case BOL: ++ if (reginput != regbol) ++ return(0); ++ break; ++ case EOL: ++ if (*reginput != '\0') ++ return(0); ++ break; ++ case ANY: ++ if (*reginput == '\0') ++ return(0); ++ reginput++; ++ break; ++ case EXACTLY: { ++ register int len; ++ register char *opnd; ++ ++ opnd = OPERAND(scan); ++ /* Inline the first character, for speed. */ ++ if (*opnd != *reginput) ++ return(0); ++ len = strlen(opnd); ++ if (len > 1 && strncmp(opnd, reginput, len) != 0) ++ return(0); ++ reginput += len; ++ } ++ break; ++ case ANYOF: ++ if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) == NULL) ++ return(0); ++ reginput++; ++ break; ++ case ANYBUT: ++ if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) != NULL) ++ return(0); ++ reginput++; ++ break; ++ case NOTHING: ++ case BACK: ++ break; ++ case OPEN+1: ++ case OPEN+2: ++ case OPEN+3: ++ case OPEN+4: ++ case OPEN+5: ++ case OPEN+6: ++ case OPEN+7: ++ case OPEN+8: ++ case OPEN+9: { ++ register int no; ++ register char *save; ++ ++ no = OP(scan) - OPEN; ++ save = reginput; ++ ++ if (regmatch(next)) { ++ /* ++ * Don't set startp if some later ++ * invocation of the same parentheses ++ * already has. ++ */ ++ if (regstartp[no] == NULL) ++ regstartp[no] = save; ++ return(1); ++ } else ++ return(0); ++ } ++ break; ++ case CLOSE+1: ++ case CLOSE+2: ++ case CLOSE+3: ++ case CLOSE+4: ++ case CLOSE+5: ++ case CLOSE+6: ++ case CLOSE+7: ++ case CLOSE+8: ++ case CLOSE+9: ++ { ++ register int no; ++ register char *save; ++ ++ no = OP(scan) - CLOSE; ++ save = reginput; ++ ++ if (regmatch(next)) { ++ /* ++ * Don't set endp if some later ++ * invocation of the same parentheses ++ * already has. ++ */ ++ if (regendp[no] == NULL) ++ regendp[no] = save; ++ return(1); ++ } else ++ return(0); ++ } ++ break; ++ case BRANCH: { ++ register char *save; ++ ++ if (OP(next) != BRANCH) /* No choice. */ ++ next = OPERAND(scan); /* Avoid recursion. */ ++ else { ++ do { ++ save = reginput; ++ if (regmatch(OPERAND(scan))) ++ return(1); ++ reginput = save; ++ scan = regnext(scan); ++ } while (scan != NULL && OP(scan) == BRANCH); ++ return(0); ++ /* NOTREACHED */ ++ } ++ } ++ break; ++ case STAR: ++ case PLUS: { ++ register char nextch; ++ register int no; ++ register char *save; ++ register int min; ++ ++ /* ++ * Lookahead to avoid useless match attempts ++ * when we know what character comes next. ++ */ ++ nextch = '\0'; ++ if (OP(next) == EXACTLY) ++ nextch = *OPERAND(next); ++ min = (OP(scan) == STAR) ? 0 : 1; ++ save = reginput; ++ no = regrepeat(OPERAND(scan)); ++ while (no >= min) { ++ /* If it could work, try it. */ ++ if (nextch == '\0' || *reginput == nextch) ++ if (regmatch(next)) ++ return(1); ++ /* Couldn't or didn't -- back up. */ ++ no--; ++ reginput = save + no; ++ } ++ return(0); ++ } ++ break; ++ case END: ++ return(1); /* Success! */ ++ break; ++ default: ++ printk("<3>Regexp: memory corruption\n"); ++ return(0); ++ break; ++ } ++ ++ scan = next; ++ } ++ ++ /* ++ * We get here only if there's trouble -- normally "case END" is ++ * the terminating point. ++ */ ++ printk("<3>Regexp: corrupted pointers\n"); ++ return(0); ++} ++ ++/* ++ - regrepeat - repeatedly match something simple, report how many ++ */ ++static int ++regrepeat(char *p) ++{ ++ register int count = 0; ++ register char *scan; ++ register char *opnd; ++ ++ scan = reginput; ++ opnd = OPERAND(p); ++ switch (OP(p)) { ++ case ANY: ++ count = strlen(scan); ++ scan += count; ++ break; ++ case EXACTLY: ++ while (*opnd == *scan) { ++ count++; ++ scan++; ++ } ++ break; ++ case ANYOF: ++ while (*scan != '\0' && strchr(opnd, *scan) != NULL) { ++ count++; ++ scan++; ++ } ++ break; ++ case ANYBUT: ++ while (*scan != '\0' && strchr(opnd, *scan) == NULL) { ++ count++; ++ scan++; ++ } ++ break; ++ default: /* Oh dear. Called inappropriately. */ ++ printk("<3>Regexp: internal foulup\n"); ++ count = 0; /* Best compromise. */ ++ break; ++ } ++ reginput = scan; ++ ++ return(count); ++} ++ ++/* ++ - regnext - dig the "next" pointer out of a node ++ */ ++static char* ++regnext(char *p) ++{ ++ register int offset; ++ ++ if (p == ®dummy) ++ return(NULL); ++ ++ offset = NEXT(p); ++ if (offset == 0) ++ return(NULL); ++ ++ if (OP(p) == BACK) ++ return(p-offset); ++ else ++ return(p+offset); ++} ++ ++#ifdef DEBUG ++ ++STATIC char *regprop(); ++ ++/* ++ - regdump - dump a regexp onto stdout in vaguely comprehensible form ++ */ ++void ++regdump(regexp *r) ++{ ++ register char *s; ++ register char op = EXACTLY; /* Arbitrary non-END op. */ ++ register char *next; ++ /* extern char *strchr(); */ ++ ++ ++ s = r->program + 1; ++ while (op != END) { /* While that wasn't END last time... */ ++ op = OP(s); ++ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */ ++ next = regnext(s); ++ if (next == NULL) /* Next ptr. */ ++ printf("(0)"); ++ else ++ printf("(%d)", (s-r->program)+(next-s)); ++ s += 3; ++ if (op == ANYOF || op == ANYBUT || op == EXACTLY) { ++ /* Literal string, where present. */ ++ while (*s != '\0') { ++ putchar(*s); ++ s++; ++ } ++ s++; ++ } ++ putchar('\n'); ++ } ++ ++ /* Header fields of interest. */ ++ if (r->regstart != '\0') ++ printf("start `%c' ", r->regstart); ++ if (r->reganch) ++ printf("anchored "); ++ if (r->regmust != NULL) ++ printf("must have \"%s\"", r->regmust); ++ printf("\n"); ++} ++ ++/* ++ - regprop - printable representation of opcode ++ */ ++static char * ++regprop(char *op) ++{ ++#define BUFLEN 50 ++ register char *p; ++ static char buf[BUFLEN]; ++ ++ strcpy(buf, ":"); ++ ++ switch (OP(op)) { ++ case BOL: ++ p = "BOL"; ++ break; ++ case EOL: ++ p = "EOL"; ++ break; ++ case ANY: ++ p = "ANY"; ++ break; ++ case ANYOF: ++ p = "ANYOF"; ++ break; ++ case ANYBUT: ++ p = "ANYBUT"; ++ break; ++ case BRANCH: ++ p = "BRANCH"; ++ break; ++ case EXACTLY: ++ p = "EXACTLY"; ++ break; ++ case NOTHING: ++ p = "NOTHING"; ++ break; ++ case BACK: ++ p = "BACK"; ++ break; ++ case END: ++ p = "END"; ++ break; ++ case OPEN+1: ++ case OPEN+2: ++ case OPEN+3: ++ case OPEN+4: ++ case OPEN+5: ++ case OPEN+6: ++ case OPEN+7: ++ case OPEN+8: ++ case OPEN+9: ++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN); ++ p = NULL; ++ break; ++ case CLOSE+1: ++ case CLOSE+2: ++ case CLOSE+3: ++ case CLOSE+4: ++ case CLOSE+5: ++ case CLOSE+6: ++ case CLOSE+7: ++ case CLOSE+8: ++ case CLOSE+9: ++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE); ++ p = NULL; ++ break; ++ case STAR: ++ p = "STAR"; ++ break; ++ case PLUS: ++ p = "PLUS"; ++ break; ++ default: ++ printk("<3>Regexp: corrupted opcode\n"); ++ break; ++ } ++ if (p != NULL) ++ strncat(buf, p, BUFLEN-strlen(buf)); ++ return(buf); ++} ++#endif ++ ++ +Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h 2007-12-15 05:20:06.040184453 +0100 +@@ -0,0 +1,40 @@ ++/* ++ * Definitions etc. for regexp(3) routines. ++ * ++ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof], ++ * not the System V one. ++ */ ++ ++#ifndef REGEXP_H ++#define REGEXP_H ++ ++/* ++http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h , ++which contains a version of this library, says: ++ ++ * ++ * NSUBEXP must be at least 10, and no greater than 117 or the parser ++ * will not work properly. ++ * ++ ++However, it looks rather like this library is limited to 10. If you think ++otherwise, let us know. ++*/ ++ ++#define NSUBEXP 10 ++typedef struct regexp { ++ char *startp[NSUBEXP]; ++ char *endp[NSUBEXP]; ++ char regstart; /* Internal use only. */ ++ char reganch; /* Internal use only. */ ++ char *regmust; /* Internal use only. */ ++ int regmlen; /* Internal use only. */ ++ char program[1]; /* Unwarranted chumminess with compiler. */ ++} regexp; ++ ++regexp * regcomp(char *exp, int *patternsize); ++int regexec(regexp *prog, char *string); ++void regsub(regexp *prog, char *source, char *dest); ++void regerror(char *s); ++ ++#endif +Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h 2007-12-15 05:20:06.040184453 +0100 +@@ -0,0 +1,5 @@ ++/* ++ * The first byte of the regexp internal "program" is actually this magic ++ * number; the start node begins in the second byte. ++ */ ++#define MAGIC 0234 +Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c 2007-12-15 05:20:06.044184683 +0100 +@@ -0,0 +1,95 @@ ++/* ++ * regsub ++ * @(#)regsub.c 1.3 of 2 April 86 ++ * ++ * Copyright (c) 1986 by University of Toronto. ++ * Written by Henry Spencer. Not derived from licensed software. ++ * ++ * Permission is granted to anyone to use this software for any ++ * purpose on any computer system, and to redistribute it freely, ++ * subject to the following restrictions: ++ * ++ * 1. The author is not responsible for the consequences of use of ++ * this software, no matter how awful, even if they arise ++ * from defects in it. ++ * ++ * 2. The origin of this software must not be misrepresented, either ++ * by explicit claim or by omission. ++ * ++ * 3. Altered versions must be plainly marked as such, and must not ++ * be misrepresented as being the original software. ++ * ++ * ++ * This code was modified by Ethan Sommer to work within the kernel ++ * (it now uses kmalloc etc..) ++ * ++ */ ++#include "regexp.h" ++#include "regmagic.h" ++#include ++ ++ ++#ifndef CHARBITS ++#define UCHARAT(p) ((int)*(unsigned char *)(p)) ++#else ++#define UCHARAT(p) ((int)*(p)&CHARBITS) ++#endif ++ ++#if 0 ++//void regerror(char * s) ++//{ ++// printk("regexp(3): %s", s); ++// /* NOTREACHED */ ++//} ++#endif ++ ++/* ++ - regsub - perform substitutions after a regexp match ++ */ ++void ++regsub(regexp * prog, char * source, char * dest) ++{ ++ register char *src; ++ register char *dst; ++ register char c; ++ register int no; ++ register int len; ++ ++ /* Not necessary and gcc doesn't like it -MLS */ ++ /*extern char *strncpy();*/ ++ ++ if (prog == NULL || source == NULL || dest == NULL) { ++ regerror("NULL parm to regsub"); ++ return; ++ } ++ if (UCHARAT(prog->program) != MAGIC) { ++ regerror("damaged regexp fed to regsub"); ++ return; ++ } ++ ++ src = source; ++ dst = dest; ++ while ((c = *src++) != '\0') { ++ if (c == '&') ++ no = 0; ++ else if (c == '\\' && '0' <= *src && *src <= '9') ++ no = *src++ - '0'; ++ else ++ no = -1; ++ ++ if (no < 0) { /* Ordinary character. */ ++ if (c == '\\' && (*src == '\\' || *src == '&')) ++ c = *src++; ++ *dst++ = c; ++ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) { ++ len = prog->endp[no] - prog->startp[no]; ++ (void) strncpy(dst, prog->startp[no], len); ++ dst += len; ++ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */ ++ regerror("damaged match string"); ++ return; ++ } ++ } ++ } ++ *dst++ = '\0'; ++} diff --git a/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch b/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch deleted file mode 100644 index 301a3a79f2..0000000000 --- a/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch +++ /dev/null @@ -1,2095 +0,0 @@ -Index: linux-2.4.35.4/Documentation/Configure.help -=================================================================== ---- linux-2.4.35.4.orig/Documentation/Configure.help 2007-12-15 05:19:54.063501941 +0100 -+++ linux-2.4.35.4/Documentation/Configure.help 2007-12-15 05:20:06.024183543 +0100 -@@ -29207,6 +29207,18 @@ - - If unsure, say N. - -+CONFIG_IP_NF_MATCH_LAYER7 -+ Say Y if you want to be able to classify connections (and their -+ packets) based on regular expression matching of their application -+ layer data. This is one way to classify applications such as -+ peer-to-peer filesharing systems that do not always use the same -+ port. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+ Say Y to get lots of debugging output. -+ - # - # A couple of things I keep forgetting: - # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet, -Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h -=================================================================== ---- linux-2.4.35.4.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:19:38.358606970 +0100 -+++ linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:20:06.024183543 +0100 -@@ -207,6 +207,17 @@ - } nat; - #endif /* CONFIG_IP_NF_NAT_NEEDED */ - -+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ struct { -+ unsigned int numpackets; /* surely this is kept track of somewhere else, right? I can't find it... */ -+ char * app_proto; /* "http", "ftp", etc. NULL if unclassifed */ -+ -+ /* the application layer data so far. NULL if ->numpackets > numpackets */ -+ char * app_data; -+ -+ unsigned int app_data_len; -+ } layer7; -+#endif - }; - - /* get master conntrack via master expectation */ -Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h 2007-12-15 05:20:06.032183998 +0100 -@@ -0,0 +1,27 @@ -+/* -+ By Matthew Strait , Dec 2003. -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+*/ -+ -+#ifndef _IPT_LAYER7_H -+#define _IPT_LAYER7_H -+ -+#define MAX_PATTERN_LEN 8192 -+#define MAX_PROTOCOL_LEN 256 -+ -+typedef char *(*proc_ipt_search) (char *, char, char *); -+ -+struct ipt_layer7_info { -+ char protocol[MAX_PROTOCOL_LEN]; -+ char invert:1; -+ char pattern[MAX_PATTERN_LEN]; -+ char pkt; -+}; -+ -+#endif /* _IPT_LAYER7_H */ -Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in -=================================================================== ---- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in 2007-12-15 05:20:05.764168722 +0100 -+++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2007-12-15 05:20:06.036184227 +0100 -@@ -44,6 +44,9 @@ - if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then - dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES - dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES -+ dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK -+ dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7 -+ - fi - # The targets - dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES -Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile -=================================================================== ---- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile 2007-12-15 05:20:05.764168722 +0100 -+++ linux-2.4.35.4/net/ipv4/netfilter/Makefile 2007-12-15 05:20:06.036184227 +0100 -@@ -87,6 +87,7 @@ - obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o - obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o - obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o -+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o - - # targets - obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o -Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c -=================================================================== ---- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:19:38.386608565 +0100 -+++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:20:06.036184227 +0100 -@@ -346,6 +346,14 @@ - } - kfree(ct->master); - } -+ -+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ if(ct->layer7.app_proto) -+ kfree(ct->layer7.app_proto); -+ if(ct->layer7.app_data) -+ kfree(ct->layer7.app_data); -+ #endif -+ - WRITE_UNLOCK(&ip_conntrack_lock); - - if (master) -Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c -=================================================================== ---- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:19:38.394609023 +0100 -+++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:20:06.036184227 +0100 -@@ -107,6 +107,13 @@ - len += sprintf(buffer + len, "[ASSURED] "); - len += sprintf(buffer + len, "use=%u ", - atomic_read(&conntrack->ct_general.use)); -+ -+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ if(conntrack->layer7.app_proto) -+ len += sprintf(buffer + len, "l7proto=%s ", -+ conntrack->layer7.app_proto); -+ #endif -+ - len += sprintf(buffer + len, "\n"); - - return len; -Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c 2007-12-15 05:20:06.040184453 +0100 -@@ -0,0 +1,595 @@ -+/* -+ Kernel module to match application layer (OSI layer 7) -+ data in connections. -+ -+ http://l7-filter.sf.net -+ -+ By Matthew Strait and Ethan Sommer, 2003-2005. -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+ -+ Based on ipt_string.c (C) 2000 Emmanuel Roger -+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski -+*/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "regexp/regexp.c" -+ -+#include -+#include -+ -+MODULE_AUTHOR("Matthew Strait , Ethan Sommer "); -+MODULE_LICENSE("GPL"); -+MODULE_DESCRIPTION("iptables application layer match module"); -+ -+static int maxdatalen = 2048; // this is the default -+MODULE_PARM(maxdatalen,"i"); -+MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter"); -+ -+#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG) -+ #define DPRINTK(format,args...) printk(format,##args) -+#else -+ #define DPRINTK(format,args...) -+#endif -+ -+#define TOTAL_PACKETS master_conntrack->layer7.numpackets -+ -+/* Number of packets whose data we look at. -+This can be modified through /proc/net/layer7_numpackets */ -+static int num_packets = 10; -+ -+static struct pattern_cache { -+ char * regex_string; -+ regexp * pattern; -+ struct pattern_cache * next; -+} * first_pattern_cache = NULL; -+ -+/* I'm new to locking. Here are my assumptions: -+ -+- No one will write to /proc/net/layer7_numpackets over and over very fast; -+ if they did, nothing awful would happen. -+ -+- This code will never be processing the same packet twice at the same time, -+ because iptables rules are traversed in order. -+ -+- It doesn't matter if two packets from different connections are in here at -+ the same time, because they don't share any data. -+ -+- It _does_ matter if two packets from the same connection are here at the same -+ time. In this case, we have to protect the conntracks and the list of -+ compiled patterns. -+*/ -+DECLARE_RWLOCK(ct_lock); -+DECLARE_LOCK(list_lock); -+ -+#if CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+/* Converts an unfriendly string into a friendly one by -+replacing unprintables with periods and all whitespace with " ". */ -+static char * friendly_print(unsigned char * s) -+{ -+ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC); -+ int i; -+ -+ if(!f) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n"); -+ return NULL; -+ } -+ -+ for(i = 0; i < strlen(s); i++){ -+ if(isprint(s[i]) && s[i] < 128) f[i] = s[i]; -+ else if(isspace(s[i])) f[i] = ' '; -+ else f[i] = '.'; -+ } -+ f[i] = '\0'; -+ return f; -+} -+ -+static char dec2hex(int i) -+{ -+ switch (i) { -+ case 0 ... 9: -+ return (char)(i + '0'); -+ break; -+ case 10 ... 15: -+ return (char)(i - 10 + 'a'); -+ break; -+ default: -+ if (net_ratelimit()) -+ printk("Problem in dec2hex\n"); -+ return '\0'; -+ } -+} -+ -+static char * hex_print(unsigned char * s) -+{ -+ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC); -+ int i; -+ -+ if(!g) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n"); -+ return NULL; -+ } -+ -+ for(i = 0; i < strlen(s); i++) { -+ g[i*3 ] = dec2hex(s[i]/16); -+ g[i*3 + 1] = dec2hex(s[i]%16); -+ g[i*3 + 2] = ' '; -+ } -+ g[i*3] = '\0'; -+ -+ return g; -+} -+#endif // DEBUG -+ -+/* Use instead of regcomp. As we expect to be seeing the same regexps over and -+over again, it make sense to cache the results. */ -+static regexp * compile_and_cache(char * regex_string, char * protocol) -+{ -+ struct pattern_cache * node = first_pattern_cache; -+ struct pattern_cache * last_pattern_cache = first_pattern_cache; -+ struct pattern_cache * tmp; -+ unsigned int len; -+ -+ while (node != NULL) { -+ if (!strcmp(node->regex_string, regex_string)) -+ return node->pattern; -+ -+ last_pattern_cache = node;/* points at the last non-NULL node */ -+ node = node->next; -+ } -+ -+ /* If we reach the end of the list, then we have not yet cached -+ the pattern for this regex. Let's do that now. -+ Be paranoid about running out of memory to avoid list corruption. */ -+ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC); -+ -+ if(!tmp) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); -+ return NULL; -+ } -+ -+ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC); -+ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC); -+ tmp->next = NULL; -+ -+ if(!tmp->regex_string || !tmp->pattern) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); -+ kfree(tmp->regex_string); -+ kfree(tmp->pattern); -+ kfree(tmp); -+ return NULL; -+ } -+ -+ /* Ok. The new node is all ready now. */ -+ node = tmp; -+ -+ if(first_pattern_cache == NULL) /* list is empty */ -+ first_pattern_cache = node; /* make node the beginning */ -+ else -+ last_pattern_cache->next = node; /* attach node to the end */ -+ -+ /* copy the string and compile the regex */ -+ len = strlen(regex_string); -+ DPRINTK("About to compile this: \"%s\"\n", regex_string); -+ node->pattern = regcomp(regex_string, &len); -+ if ( !node->pattern ) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol); -+ /* pattern is now cached as NULL, so we won't try again. */ -+ } -+ -+ strcpy(node->regex_string, regex_string); -+ return node->pattern; -+} -+ -+static int can_handle(const struct sk_buff *skb) -+{ -+ if(!skb->nh.iph) /* not IP */ -+ return 0; -+ if(skb->nh.iph->protocol != IPPROTO_TCP && -+ skb->nh.iph->protocol != IPPROTO_UDP && -+ skb->nh.iph->protocol != IPPROTO_ICMP) -+ return 0; -+ return 1; -+} -+ -+/* Returns offset the into the skb->data that the application data starts */ -+static int app_data_offset(const struct sk_buff *skb) -+{ -+ /* In case we are ported somewhere (ebtables?) where skb->nh.iph -+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */ -+ int ip_hl = 4*skb->nh.iph->ihl; -+ -+ if( skb->nh.iph->protocol == IPPROTO_TCP ) { -+ /* 12 == offset into TCP header for the header length field. -+ Can't get this with skb->h.th->doff because the tcphdr -+ struct doesn't get set when routing (this is confirmed to be -+ true in Netfilter as well as QoS.) */ -+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4); -+ -+ return ip_hl + tcp_hl; -+ } else if( skb->nh.iph->protocol == IPPROTO_UDP ) { -+ return ip_hl + 8; /* UDP header is always 8 bytes */ -+ } else if( skb->nh.iph->protocol == IPPROTO_ICMP ) { -+ return ip_hl + 8; /* ICMP header is 8 bytes */ -+ } else { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n"); -+ return ip_hl + 8; /* something reasonable */ -+ } -+} -+ -+/* handles whether there's a match when we aren't appending data anymore */ -+static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack, -+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo, -+ struct ipt_layer7_info * info) -+{ -+ /* If we're in here, throw the app data away */ -+ WRITE_LOCK(&ct_lock); -+ if(master_conntrack->layer7.app_data != NULL) { -+ -+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+ if(!master_conntrack->layer7.app_proto) { -+ char * f = friendly_print(master_conntrack->layer7.app_data); -+ char * g = hex_print(master_conntrack->layer7.app_data); -+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n", -+ strlen(f), -+ TOTAL_PACKETS, f); -+ kfree(f); -+ DPRINTK("In hex: %s\n", g); -+ kfree(g); -+ } -+ #endif -+ -+ kfree(master_conntrack->layer7.app_data); -+ master_conntrack->layer7.app_data = NULL; /* don't free again */ -+ } -+ WRITE_UNLOCK(&ct_lock); -+ -+ if(master_conntrack->layer7.app_proto){ -+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */ -+ WRITE_LOCK(&ct_lock); -+ if(!conntrack->layer7.app_proto) { -+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC); -+ if(!conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); -+ WRITE_UNLOCK(&ct_lock); -+ return 1; -+ } -+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto); -+ } -+ WRITE_UNLOCK(&ct_lock); -+ -+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol)); -+ } -+ else { -+ /* If not classified, set to "unknown" to distinguish from -+ connections that are still being tested. */ -+ WRITE_LOCK(&ct_lock); -+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); -+ WRITE_UNLOCK(&ct_lock); -+ return 1; -+ } -+ strcpy(master_conntrack->layer7.app_proto, "unknown"); -+ WRITE_UNLOCK(&ct_lock); -+ return 0; -+ } -+} -+ -+static int add_datastr(char *target, int offset, char *app_data, int len) -+{ -+ int length = 0, i; -+ -+ /* Strip nulls. Make everything lower case (our regex lib doesn't -+ do case insensitivity). Add it to the end of the current data. */ -+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) { -+ if(app_data[i] != '\0') { -+ target[length+offset] = -+ /* the kernel version of tolower mungs 'upper ascii' */ -+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; -+ length++; -+ } -+ } -+ -+ target[length+offset] = '\0'; -+ -+ return length; -+} -+ -+/* add the new app data to the conntrack. Return number of bytes added. */ -+static int add_data(struct ip_conntrack * master_conntrack, -+ char * app_data, int appdatalen) -+{ -+ int length; -+ -+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen); -+ master_conntrack->layer7.app_data_len += length; -+ -+ return length; -+} -+ -+/* Returns true on match and false otherwise. */ -+static int match(/* const */struct sk_buff *skb, const struct net_device *in, -+ const struct net_device *out, const void *matchinfo, -+ int offset, int *hotdrop) -+{ -+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; -+ enum ip_conntrack_info master_ctinfo, ctinfo; -+ struct ip_conntrack *master_conntrack, *conntrack; -+ unsigned char *app_data, *tmp_data; -+ unsigned int pattern_result, appdatalen; -+ regexp * comppattern; -+ -+ if(!can_handle(skb)){ -+ DPRINTK("layer7: This is some protocol I can't handle.\n"); -+ return info->invert; -+ } -+ -+ /* Treat the parent and all its children together as one connection, -+ except for the purpose of setting conntrack->layer7.app_proto in the -+ actual connection. This makes /proc/net/ip_conntrack somewhat more -+ satisfying. */ -+ if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) || -+ !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) { -+ DPRINTK("layer7: packet is not from a known connection, giving up.\n"); -+ return info->invert; -+ } -+ -+ /* Try to get a master conntrack (and its master etc) for FTP, etc. */ -+ while (master_ct(master_conntrack) != NULL) -+ master_conntrack = master_ct(master_conntrack); -+ -+ if(!skb->cb[0]){ -+ WRITE_LOCK(&ct_lock); -+ master_conntrack->layer7.numpackets++;/*starts at 0 via memset*/ -+ WRITE_UNLOCK(&ct_lock); -+ } -+ -+ /* if we've classified it or seen too many packets */ -+ if(!info->pkt && (TOTAL_PACKETS > num_packets || -+ master_conntrack->layer7.app_proto)) { -+ -+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); -+ -+ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7 -+ rules. I'm not sure that using cb for this purpose is correct, although -+ it says "put your private variables there". But it doesn't look like it -+ is being used for anything else in the skbs that make it here. How can -+ I write to cb without making the compiler angry? */ -+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */ -+ -+ return (pattern_result ^ info->invert); -+ } -+ -+ if(skb_is_nonlinear(skb)){ -+ if(skb_linearize(skb, GFP_ATOMIC) != 0){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n"); -+ return info->invert; -+ } -+ } -+ -+ /* now that the skb is linearized, it's safe to set these. */ -+ app_data = skb->data + app_data_offset(skb); -+ appdatalen = skb->tail - app_data; -+ -+ LOCK_BH(&list_lock); -+ /* the return value gets checked later, when we're ready to use it */ -+ comppattern = compile_and_cache(info->pattern, info->protocol); -+ UNLOCK_BH(&list_lock); -+ -+ if (info->pkt) { -+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC); -+ if(!tmp_data){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); -+ return info->invert; -+ } -+ -+ tmp_data[0] = '\0'; -+ add_datastr(tmp_data, 0, app_data, appdatalen); -+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0); -+ kfree(tmp_data); -+ tmp_data = NULL; -+ -+ return (pattern_result ^ info->invert); -+ } -+ -+ /* On the first packet of a connection, allocate space for app data */ -+ WRITE_LOCK(&ct_lock); -+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { -+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_data){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); -+ WRITE_UNLOCK(&ct_lock); -+ return info->invert; -+ } -+ -+ master_conntrack->layer7.app_data[0] = '\0'; -+ } -+ WRITE_UNLOCK(&ct_lock); -+ -+ /* Can be here, but unallocated, if numpackets is increased near -+ the beginning of a connection */ -+ if(master_conntrack->layer7.app_data == NULL) -+ return (info->invert); /* unmatched */ -+ -+ if(!skb->cb[0]){ -+ int newbytes; -+ WRITE_LOCK(&ct_lock); -+ newbytes = add_data(master_conntrack, app_data, appdatalen); -+ WRITE_UNLOCK(&ct_lock); -+ -+ if(newbytes == 0) { /* didn't add any data */ -+ skb->cb[0] = 1; -+ /* Didn't match before, not going to match now */ -+ return info->invert; -+ } -+ } -+ -+ /* If looking for "unknown", then never match. "Unknown" means that -+ we've given up; we're still trying with these packets. */ -+ if(!strcmp(info->protocol, "unknown")) { -+ pattern_result = 0; -+ /* If the regexp failed to compile, don't bother running it */ -+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) { -+ DPRINTK("layer7: regexec positive: %s!\n", info->protocol); -+ pattern_result = 1; -+ } else pattern_result = 0; -+ -+ if(pattern_result) { -+ WRITE_LOCK(&ct_lock); -+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); -+ WRITE_UNLOCK(&ct_lock); -+ return (pattern_result ^ info->invert); -+ } -+ strcpy(master_conntrack->layer7.app_proto, info->protocol); -+ WRITE_UNLOCK(&ct_lock); -+ } -+ -+ /* mark the packet seen */ -+ skb->cb[0] = 1; -+ -+ return (pattern_result ^ info->invert); -+} -+ -+static int checkentry(const char *tablename, const struct ipt_ip *ip, -+ void *matchinfo, unsigned int matchsize, unsigned int hook_mask) -+{ -+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_layer7_info))) -+ return 0; -+ return 1; -+} -+ -+static struct ipt_match layer7_match = { -+ .name = "layer7", -+ .match = &match, -+ .checkentry = &checkentry, -+ .me = THIS_MODULE -+}; -+ -+/* taken from drivers/video/modedb.c */ -+static int my_atoi(const char *s) -+{ -+ int val = 0; -+ -+ for (;; s++) { -+ switch (*s) { -+ case '0'...'9': -+ val = 10*val+(*s-'0'); -+ break; -+ default: -+ return val; -+ } -+ } -+} -+ -+/* write out num_packets to userland. */ -+static int layer7_read_proc(char* page, char ** start, off_t off, int count, -+ int* eof, void * data) -+{ -+ if(num_packets > 99 && net_ratelimit()) -+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n"); -+ -+ page[0] = num_packets/10 + '0'; -+ page[1] = num_packets%10 + '0'; -+ page[2] = '\n'; -+ page[3] = '\0'; -+ -+ *eof=1; -+ -+ return 3; -+} -+ -+/* Read in num_packets from userland */ -+static int layer7_write_proc(struct file* file, const char* buffer, -+ unsigned long count, void *data) -+{ -+ char * foo = kmalloc(count, GFP_ATOMIC); -+ -+ if(!foo){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n"); -+ return count; -+ } -+ -+ copy_from_user(foo, buffer, count); -+ -+ num_packets = my_atoi(foo); -+ kfree (foo); -+ -+ /* This has an arbitrary limit to make the math easier. I'm lazy. -+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */ -+ if(num_packets > 99) { -+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n"); -+ num_packets = 99; -+ } else if(num_packets < 1) { -+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n"); -+ num_packets = 1; -+ } -+ -+ return count; -+} -+ -+/* register the proc file */ -+static void layer7_init_proc(void) -+{ -+ struct proc_dir_entry* entry; -+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net); -+ entry->read_proc = layer7_read_proc; -+ entry->write_proc = layer7_write_proc; -+} -+ -+static void layer7_cleanup_proc(void) -+{ -+ remove_proc_entry("layer7_numpackets", proc_net); -+} -+ -+static int __init init(void) -+{ -+ layer7_init_proc(); -+ if(maxdatalen < 1) { -+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n"); -+ maxdatalen = 1; -+ } -+ /* This is not a hard limit. It's just here to prevent people from -+ bringing their slow machines to a grinding halt. */ -+ else if(maxdatalen > 65536) { -+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n"); -+ maxdatalen = 65536; -+ } -+ return ipt_register_match(&layer7_match); -+} -+ -+static void __exit fini(void) -+{ -+ layer7_cleanup_proc(); -+ ipt_unregister_match(&layer7_match); -+} -+ -+module_init(init); -+module_exit(fini); -Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c 2007-12-15 05:20:06.040184453 +0100 -@@ -0,0 +1,1195 @@ -+/* -+ * regcomp and regexec -- regsub and regerror are elsewhere -+ * @(#)regexp.c 1.3 of 18 April 87 -+ * -+ * Copyright (c) 1986 by University of Toronto. -+ * Written by Henry Spencer. Not derived from licensed software. -+ * -+ * Permission is granted to anyone to use this software for any -+ * purpose on any computer system, and to redistribute it freely, -+ * subject to the following restrictions: -+ * -+ * 1. The author is not responsible for the consequences of use of -+ * this software, no matter how awful, even if they arise -+ * from defects in it. -+ * -+ * 2. The origin of this software must not be misrepresented, either -+ * by explicit claim or by omission. -+ * -+ * 3. Altered versions must be plainly marked as such, and must not -+ * be misrepresented as being the original software. -+ * -+ * Beware that some of this code is subtly aware of the way operator -+ * precedence is structured in regular expressions. Serious changes in -+ * regular-expression syntax might require a total rethink. -+ * -+ * This code was modified by Ethan Sommer to work within the kernel -+ * (it now uses kmalloc etc..) -+ * -+ * Modified slightly by Matthew Strait to use more modern C. -+ */ -+ -+#include "regexp.h" -+#include "regmagic.h" -+ -+/* added by ethan and matt. Lets it work in both kernel and user space. -+(So iptables can use it, for instance.) Yea, it goes both ways... */ -+#if __KERNEL__ -+ #define malloc(foo) kmalloc(foo,GFP_ATOMIC) -+#else -+ #define printk(format,args...) printf(format,##args) -+#endif -+ -+void regerror(char * s) -+{ -+ printk("<3>Regexp: %s\n", s); -+ /* NOTREACHED */ -+} -+ -+/* -+ * The "internal use only" fields in regexp.h are present to pass info from -+ * compile to execute that permits the execute phase to run lots faster on -+ * simple cases. They are: -+ * -+ * regstart char that must begin a match; '\0' if none obvious -+ * reganch is the match anchored (at beginning-of-line only)? -+ * regmust string (pointer into program) that match must include, or NULL -+ * regmlen length of regmust string -+ * -+ * Regstart and reganch permit very fast decisions on suitable starting points -+ * for a match, cutting down the work a lot. Regmust permits fast rejection -+ * of lines that cannot possibly match. The regmust tests are costly enough -+ * that regcomp() supplies a regmust only if the r.e. contains something -+ * potentially expensive (at present, the only such thing detected is * or + -+ * at the start of the r.e., which can involve a lot of backup). Regmlen is -+ * supplied because the test in regexec() needs it and regcomp() is computing -+ * it anyway. -+ */ -+ -+/* -+ * Structure for regexp "program". This is essentially a linear encoding -+ * of a nondeterministic finite-state machine (aka syntax charts or -+ * "railroad normal form" in parsing technology). Each node is an opcode -+ * plus a "next" pointer, possibly plus an operand. "Next" pointers of -+ * all nodes except BRANCH implement concatenation; a "next" pointer with -+ * a BRANCH on both ends of it is connecting two alternatives. (Here we -+ * have one of the subtle syntax dependencies: an individual BRANCH (as -+ * opposed to a collection of them) is never concatenated with anything -+ * because of operator precedence.) The operand of some types of node is -+ * a literal string; for others, it is a node leading into a sub-FSM. In -+ * particular, the operand of a BRANCH node is the first node of the branch. -+ * (NB this is *not* a tree structure: the tail of the branch connects -+ * to the thing following the set of BRANCHes.) The opcodes are: -+ */ -+ -+/* definition number opnd? meaning */ -+#define END 0 /* no End of program. */ -+#define BOL 1 /* no Match "" at beginning of line. */ -+#define EOL 2 /* no Match "" at end of line. */ -+#define ANY 3 /* no Match any one character. */ -+#define ANYOF 4 /* str Match any character in this string. */ -+#define ANYBUT 5 /* str Match any character not in this string. */ -+#define BRANCH 6 /* node Match this alternative, or the next... */ -+#define BACK 7 /* no Match "", "next" ptr points backward. */ -+#define EXACTLY 8 /* str Match this string. */ -+#define NOTHING 9 /* no Match empty string. */ -+#define STAR 10 /* node Match this (simple) thing 0 or more times. */ -+#define PLUS 11 /* node Match this (simple) thing 1 or more times. */ -+#define OPEN 20 /* no Mark this point in input as start of #n. */ -+ /* OPEN+1 is number 1, etc. */ -+#define CLOSE 30 /* no Analogous to OPEN. */ -+ -+/* -+ * Opcode notes: -+ * -+ * BRANCH The set of branches constituting a single choice are hooked -+ * together with their "next" pointers, since precedence prevents -+ * anything being concatenated to any individual branch. The -+ * "next" pointer of the last BRANCH in a choice points to the -+ * thing following the whole choice. This is also where the -+ * final "next" pointer of each individual branch points; each -+ * branch starts with the operand node of a BRANCH node. -+ * -+ * BACK Normal "next" pointers all implicitly point forward; BACK -+ * exists to make loop structures possible. -+ * -+ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular -+ * BRANCH structures using BACK. Simple cases (one character -+ * per match) are implemented with STAR and PLUS for speed -+ * and to minimize recursive plunges. -+ * -+ * OPEN,CLOSE ...are numbered at compile time. -+ */ -+ -+/* -+ * A node is one char of opcode followed by two chars of "next" pointer. -+ * "Next" pointers are stored as two 8-bit pieces, high order first. The -+ * value is a positive offset from the opcode of the node containing it. -+ * An operand, if any, simply follows the node. (Note that much of the -+ * code generation knows about this implicit relationship.) -+ * -+ * Using two bytes for the "next" pointer is vast overkill for most things, -+ * but allows patterns to get big without disasters. -+ */ -+#define OP(p) (*(p)) -+#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377)) -+#define OPERAND(p) ((p) + 3) -+ -+/* -+ * See regmagic.h for one further detail of program structure. -+ */ -+ -+ -+/* -+ * Utility definitions. -+ */ -+#ifndef CHARBITS -+#define UCHARAT(p) ((int)*(unsigned char *)(p)) -+#else -+#define UCHARAT(p) ((int)*(p)&CHARBITS) -+#endif -+ -+#define FAIL(m) { regerror(m); return(NULL); } -+#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?') -+#define META "^$.[()|?+*\\" -+ -+/* -+ * Flags to be passed up and down. -+ */ -+#define HASWIDTH 01 /* Known never to match null string. */ -+#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */ -+#define SPSTART 04 /* Starts with * or +. */ -+#define WORST 0 /* Worst case. */ -+ -+/* -+ * Global work variables for regcomp(). -+ */ -+static char *regparse; /* Input-scan pointer. */ -+static int regnpar; /* () count. */ -+static char regdummy; -+static char *regcode; /* Code-emit pointer; ®dummy = don't. */ -+static long regsize; /* Code size. */ -+ -+/* -+ * Forward declarations for regcomp()'s friends. -+ */ -+#ifndef STATIC -+#define STATIC static -+#endif -+STATIC char *reg(int paren,int *flagp); -+STATIC char *regbranch(int *flagp); -+STATIC char *regpiece(int *flagp); -+STATIC char *regatom(int *flagp); -+STATIC char *regnode(char op); -+STATIC char *regnext(char *p); -+STATIC void regc(char b); -+STATIC void reginsert(char op, char *opnd); -+STATIC void regtail(char *p, char *val); -+STATIC void regoptail(char *p, char *val); -+ -+ -+__kernel_size_t my_strcspn(const char *s1,const char *s2) -+{ -+ char *scan1; -+ char *scan2; -+ int count; -+ -+ count = 0; -+ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) { -+ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */ -+ if (*scan1 == *scan2++) -+ return(count); -+ count++; -+ } -+ return(count); -+} -+ -+/* -+ - regcomp - compile a regular expression into internal code -+ * -+ * We can't allocate space until we know how big the compiled form will be, -+ * but we can't compile it (and thus know how big it is) until we've got a -+ * place to put the code. So we cheat: we compile it twice, once with code -+ * generation turned off and size counting turned on, and once "for real". -+ * This also means that we don't allocate space until we are sure that the -+ * thing really will compile successfully, and we never have to move the -+ * code and thus invalidate pointers into it. (Note that it has to be in -+ * one piece because free() must be able to free it all.) -+ * -+ * Beware that the optimization-preparation code in here knows about some -+ * of the structure of the compiled regexp. -+ */ -+regexp * -+regcomp(char *exp,int *patternsize) -+{ -+ register regexp *r; -+ register char *scan; -+ register char *longest; -+ register int len; -+ int flags; -+ /* commented out by ethan -+ extern char *malloc(); -+ */ -+ -+ if (exp == NULL) -+ FAIL("NULL argument"); -+ -+ /* First pass: determine size, legality. */ -+ regparse = exp; -+ regnpar = 1; -+ regsize = 0L; -+ regcode = ®dummy; -+ regc(MAGIC); -+ if (reg(0, &flags) == NULL) -+ return(NULL); -+ -+ /* Small enough for pointer-storage convention? */ -+ if (regsize >= 32767L) /* Probably could be 65535L. */ -+ FAIL("regexp too big"); -+ -+ /* Allocate space. */ -+ *patternsize=sizeof(regexp) + (unsigned)regsize; -+ r = (regexp *)malloc(sizeof(regexp) + (unsigned)regsize); -+ if (r == NULL) -+ FAIL("out of space"); -+ -+ /* Second pass: emit code. */ -+ regparse = exp; -+ regnpar = 1; -+ regcode = r->program; -+ regc(MAGIC); -+ if (reg(0, &flags) == NULL) -+ return(NULL); -+ -+ /* Dig out information for optimizations. */ -+ r->regstart = '\0'; /* Worst-case defaults. */ -+ r->reganch = 0; -+ r->regmust = NULL; -+ r->regmlen = 0; -+ scan = r->program+1; /* First BRANCH. */ -+ if (OP(regnext(scan)) == END) { /* Only one top-level choice. */ -+ scan = OPERAND(scan); -+ -+ /* Starting-point info. */ -+ if (OP(scan) == EXACTLY) -+ r->regstart = *OPERAND(scan); -+ else if (OP(scan) == BOL) -+ r->reganch++; -+ -+ /* -+ * If there's something expensive in the r.e., find the -+ * longest literal string that must appear and make it the -+ * regmust. Resolve ties in favor of later strings, since -+ * the regstart check works with the beginning of the r.e. -+ * and avoiding duplication strengthens checking. Not a -+ * strong reason, but sufficient in the absence of others. -+ */ -+ if (flags&SPSTART) { -+ longest = NULL; -+ len = 0; -+ for (; scan != NULL; scan = regnext(scan)) -+ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) { -+ longest = OPERAND(scan); -+ len = strlen(OPERAND(scan)); -+ } -+ r->regmust = longest; -+ r->regmlen = len; -+ } -+ } -+ -+ return(r); -+} -+ -+/* -+ - reg - regular expression, i.e. main body or parenthesized thing -+ * -+ * Caller must absorb opening parenthesis. -+ * -+ * Combining parenthesis handling with the base level of regular expression -+ * is a trifle forced, but the need to tie the tails of the branches to what -+ * follows makes it hard to avoid. -+ */ -+static char * -+reg(int paren, int *flagp /* Parenthesized? */ ) -+{ -+ register char *ret; -+ register char *br; -+ register char *ender; -+ register int parno = 0; /* 0 makes gcc happy */ -+ int flags; -+ -+ *flagp = HASWIDTH; /* Tentatively. */ -+ -+ /* Make an OPEN node, if parenthesized. */ -+ if (paren) { -+ if (regnpar >= NSUBEXP) -+ FAIL("too many ()"); -+ parno = regnpar; -+ regnpar++; -+ ret = regnode(OPEN+parno); -+ } else -+ ret = NULL; -+ -+ /* Pick up the branches, linking them together. */ -+ br = regbranch(&flags); -+ if (br == NULL) -+ return(NULL); -+ if (ret != NULL) -+ regtail(ret, br); /* OPEN -> first. */ -+ else -+ ret = br; -+ if (!(flags&HASWIDTH)) -+ *flagp &= ~HASWIDTH; -+ *flagp |= flags&SPSTART; -+ while (*regparse == '|') { -+ regparse++; -+ br = regbranch(&flags); -+ if (br == NULL) -+ return(NULL); -+ regtail(ret, br); /* BRANCH -> BRANCH. */ -+ if (!(flags&HASWIDTH)) -+ *flagp &= ~HASWIDTH; -+ *flagp |= flags&SPSTART; -+ } -+ -+ /* Make a closing node, and hook it on the end. */ -+ ender = regnode((paren) ? CLOSE+parno : END); -+ regtail(ret, ender); -+ -+ /* Hook the tails of the branches to the closing node. */ -+ for (br = ret; br != NULL; br = regnext(br)) -+ regoptail(br, ender); -+ -+ /* Check for proper termination. */ -+ if (paren && *regparse++ != ')') { -+ FAIL("unmatched ()"); -+ } else if (!paren && *regparse != '\0') { -+ if (*regparse == ')') { -+ FAIL("unmatched ()"); -+ } else -+ FAIL("junk on end"); /* "Can't happen". */ -+ /* NOTREACHED */ -+ } -+ -+ return(ret); -+} -+ -+/* -+ - regbranch - one alternative of an | operator -+ * -+ * Implements the concatenation operator. -+ */ -+static char * -+regbranch(int *flagp) -+{ -+ register char *ret; -+ register char *chain; -+ register char *latest; -+ int flags; -+ -+ *flagp = WORST; /* Tentatively. */ -+ -+ ret = regnode(BRANCH); -+ chain = NULL; -+ while (*regparse != '\0' && *regparse != '|' && *regparse != ')') { -+ latest = regpiece(&flags); -+ if (latest == NULL) -+ return(NULL); -+ *flagp |= flags&HASWIDTH; -+ if (chain == NULL) /* First piece. */ -+ *flagp |= flags&SPSTART; -+ else -+ regtail(chain, latest); -+ chain = latest; -+ } -+ if (chain == NULL) /* Loop ran zero times. */ -+ (void) regnode(NOTHING); -+ -+ return(ret); -+} -+ -+/* -+ - regpiece - something followed by possible [*+?] -+ * -+ * Note that the branching code sequences used for ? and the general cases -+ * of * and + are somewhat optimized: they use the same NOTHING node as -+ * both the endmarker for their branch list and the body of the last branch. -+ * It might seem that this node could be dispensed with entirely, but the -+ * endmarker role is not redundant. -+ */ -+static char * -+regpiece(int *flagp) -+{ -+ register char *ret; -+ register char op; -+ register char *next; -+ int flags; -+ -+ ret = regatom(&flags); -+ if (ret == NULL) -+ return(NULL); -+ -+ op = *regparse; -+ if (!ISMULT(op)) { -+ *flagp = flags; -+ return(ret); -+ } -+ -+ if (!(flags&HASWIDTH) && op != '?') -+ FAIL("*+ operand could be empty"); -+ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH); -+ -+ if (op == '*' && (flags&SIMPLE)) -+ reginsert(STAR, ret); -+ else if (op == '*') { -+ /* Emit x* as (x&|), where & means "self". */ -+ reginsert(BRANCH, ret); /* Either x */ -+ regoptail(ret, regnode(BACK)); /* and loop */ -+ regoptail(ret, ret); /* back */ -+ regtail(ret, regnode(BRANCH)); /* or */ -+ regtail(ret, regnode(NOTHING)); /* null. */ -+ } else if (op == '+' && (flags&SIMPLE)) -+ reginsert(PLUS, ret); -+ else if (op == '+') { -+ /* Emit x+ as x(&|), where & means "self". */ -+ next = regnode(BRANCH); /* Either */ -+ regtail(ret, next); -+ regtail(regnode(BACK), ret); /* loop back */ -+ regtail(next, regnode(BRANCH)); /* or */ -+ regtail(ret, regnode(NOTHING)); /* null. */ -+ } else if (op == '?') { -+ /* Emit x? as (x|) */ -+ reginsert(BRANCH, ret); /* Either x */ -+ regtail(ret, regnode(BRANCH)); /* or */ -+ next = regnode(NOTHING); /* null. */ -+ regtail(ret, next); -+ regoptail(ret, next); -+ } -+ regparse++; -+ if (ISMULT(*regparse)) -+ FAIL("nested *?+"); -+ -+ return(ret); -+} -+ -+/* -+ - regatom - the lowest level -+ * -+ * Optimization: gobbles an entire sequence of ordinary characters so that -+ * it can turn them into a single node, which is smaller to store and -+ * faster to run. Backslashed characters are exceptions, each becoming a -+ * separate node; the code is simpler that way and it's not worth fixing. -+ */ -+static char * -+regatom(int *flagp) -+{ -+ register char *ret; -+ int flags; -+ -+ *flagp = WORST; /* Tentatively. */ -+ -+ switch (*regparse++) { -+ case '^': -+ ret = regnode(BOL); -+ break; -+ case '$': -+ ret = regnode(EOL); -+ break; -+ case '.': -+ ret = regnode(ANY); -+ *flagp |= HASWIDTH|SIMPLE; -+ break; -+ case '[': { -+ register int class; -+ register int classend; -+ -+ if (*regparse == '^') { /* Complement of range. */ -+ ret = regnode(ANYBUT); -+ regparse++; -+ } else -+ ret = regnode(ANYOF); -+ if (*regparse == ']' || *regparse == '-') -+ regc(*regparse++); -+ while (*regparse != '\0' && *regparse != ']') { -+ if (*regparse == '-') { -+ regparse++; -+ if (*regparse == ']' || *regparse == '\0') -+ regc('-'); -+ else { -+ class = UCHARAT(regparse-2)+1; -+ classend = UCHARAT(regparse); -+ if (class > classend+1) -+ FAIL("invalid [] range"); -+ for (; class <= classend; class++) -+ regc(class); -+ regparse++; -+ } -+ } else -+ regc(*regparse++); -+ } -+ regc('\0'); -+ if (*regparse != ']') -+ FAIL("unmatched []"); -+ regparse++; -+ *flagp |= HASWIDTH|SIMPLE; -+ } -+ break; -+ case '(': -+ ret = reg(1, &flags); -+ if (ret == NULL) -+ return(NULL); -+ *flagp |= flags&(HASWIDTH|SPSTART); -+ break; -+ case '\0': -+ case '|': -+ case ')': -+ FAIL("internal urp"); /* Supposed to be caught earlier. */ -+ break; -+ case '?': -+ case '+': -+ case '*': -+ FAIL("?+* follows nothing"); -+ break; -+ case '\\': -+ if (*regparse == '\0') -+ FAIL("trailing \\"); -+ ret = regnode(EXACTLY); -+ regc(*regparse++); -+ regc('\0'); -+ *flagp |= HASWIDTH|SIMPLE; -+ break; -+ default: { -+ register int len; -+ register char ender; -+ -+ regparse--; -+ len = my_strcspn((const char *)regparse, (const char *)META); -+ if (len <= 0) -+ FAIL("internal disaster"); -+ ender = *(regparse+len); -+ if (len > 1 && ISMULT(ender)) -+ len--; /* Back off clear of ?+* operand. */ -+ *flagp |= HASWIDTH; -+ if (len == 1) -+ *flagp |= SIMPLE; -+ ret = regnode(EXACTLY); -+ while (len > 0) { -+ regc(*regparse++); -+ len--; -+ } -+ regc('\0'); -+ } -+ break; -+ } -+ -+ return(ret); -+} -+ -+/* -+ - regnode - emit a node -+ */ -+static char * /* Location. */ -+regnode(char op) -+{ -+ register char *ret; -+ register char *ptr; -+ -+ ret = regcode; -+ if (ret == ®dummy) { -+ regsize += 3; -+ return(ret); -+ } -+ -+ ptr = ret; -+ *ptr++ = op; -+ *ptr++ = '\0'; /* Null "next" pointer. */ -+ *ptr++ = '\0'; -+ regcode = ptr; -+ -+ return(ret); -+} -+ -+/* -+ - regc - emit (if appropriate) a byte of code -+ */ -+static void -+regc(char b) -+{ -+ if (regcode != ®dummy) -+ *regcode++ = b; -+ else -+ regsize++; -+} -+ -+/* -+ - reginsert - insert an operator in front of already-emitted operand -+ * -+ * Means relocating the operand. -+ */ -+static void -+reginsert(char op, char* opnd) -+{ -+ register char *src; -+ register char *dst; -+ register char *place; -+ -+ if (regcode == ®dummy) { -+ regsize += 3; -+ return; -+ } -+ -+ src = regcode; -+ regcode += 3; -+ dst = regcode; -+ while (src > opnd) -+ *--dst = *--src; -+ -+ place = opnd; /* Op node, where operand used to be. */ -+ *place++ = op; -+ *place++ = '\0'; -+ *place++ = '\0'; -+} -+ -+/* -+ - regtail - set the next-pointer at the end of a node chain -+ */ -+static void -+regtail(char *p, char *val) -+{ -+ register char *scan; -+ register char *temp; -+ register int offset; -+ -+ if (p == ®dummy) -+ return; -+ -+ /* Find last node. */ -+ scan = p; -+ for (;;) { -+ temp = regnext(scan); -+ if (temp == NULL) -+ break; -+ scan = temp; -+ } -+ -+ if (OP(scan) == BACK) -+ offset = scan - val; -+ else -+ offset = val - scan; -+ *(scan+1) = (offset>>8)&0377; -+ *(scan+2) = offset&0377; -+} -+ -+/* -+ - regoptail - regtail on operand of first argument; nop if operandless -+ */ -+static void -+regoptail(char *p, char *val) -+{ -+ /* "Operandless" and "op != BRANCH" are synonymous in practice. */ -+ if (p == NULL || p == ®dummy || OP(p) != BRANCH) -+ return; -+ regtail(OPERAND(p), val); -+} -+ -+/* -+ * regexec and friends -+ */ -+ -+/* -+ * Global work variables for regexec(). -+ */ -+static char *reginput; /* String-input pointer. */ -+static char *regbol; /* Beginning of input, for ^ check. */ -+static char **regstartp; /* Pointer to startp array. */ -+static char **regendp; /* Ditto for endp. */ -+ -+/* -+ * Forwards. -+ */ -+STATIC int regtry(regexp *prog, char *string); -+STATIC int regmatch(char *prog); -+STATIC int regrepeat(char *p); -+ -+#ifdef DEBUG -+int regnarrate = 0; -+void regdump(); -+STATIC char *regprop(char *op); -+#endif -+ -+/* -+ - regexec - match a regexp against a string -+ */ -+int -+regexec(regexp *prog, char *string) -+{ -+ register char *s; -+ -+ /* Be paranoid... */ -+ if (prog == NULL || string == NULL) { -+ printk("<3>Regexp: NULL parameter\n"); -+ return(0); -+ } -+ -+ /* Check validity of program. */ -+ if (UCHARAT(prog->program) != MAGIC) { -+ printk("<3>Regexp: corrupted program\n"); -+ return(0); -+ } -+ -+ /* If there is a "must appear" string, look for it. */ -+ if (prog->regmust != NULL) { -+ s = string; -+ while ((s = strchr(s, prog->regmust[0])) != NULL) { -+ if (strncmp(s, prog->regmust, prog->regmlen) == 0) -+ break; /* Found it. */ -+ s++; -+ } -+ if (s == NULL) /* Not present. */ -+ return(0); -+ } -+ -+ /* Mark beginning of line for ^ . */ -+ regbol = string; -+ -+ /* Simplest case: anchored match need be tried only once. */ -+ if (prog->reganch) -+ return(regtry(prog, string)); -+ -+ /* Messy cases: unanchored match. */ -+ s = string; -+ if (prog->regstart != '\0') -+ /* We know what char it must start with. */ -+ while ((s = strchr(s, prog->regstart)) != NULL) { -+ if (regtry(prog, s)) -+ return(1); -+ s++; -+ } -+ else -+ /* We don't -- general case. */ -+ do { -+ if (regtry(prog, s)) -+ return(1); -+ } while (*s++ != '\0'); -+ -+ /* Failure. */ -+ return(0); -+} -+ -+/* -+ - regtry - try match at specific point -+ */ -+static int /* 0 failure, 1 success */ -+regtry(regexp *prog, char *string) -+{ -+ register int i; -+ register char **sp; -+ register char **ep; -+ -+ reginput = string; -+ regstartp = prog->startp; -+ regendp = prog->endp; -+ -+ sp = prog->startp; -+ ep = prog->endp; -+ for (i = NSUBEXP; i > 0; i--) { -+ *sp++ = NULL; -+ *ep++ = NULL; -+ } -+ if (regmatch(prog->program + 1)) { -+ prog->startp[0] = string; -+ prog->endp[0] = reginput; -+ return(1); -+ } else -+ return(0); -+} -+ -+/* -+ - regmatch - main matching routine -+ * -+ * Conceptually the strategy is simple: check to see whether the current -+ * node matches, call self recursively to see whether the rest matches, -+ * and then act accordingly. In practice we make some effort to avoid -+ * recursion, in particular by going through "ordinary" nodes (that don't -+ * need to know whether the rest of the match failed) by a loop instead of -+ * by recursion. -+ */ -+static int /* 0 failure, 1 success */ -+regmatch(char *prog) -+{ -+ register char *scan = prog; /* Current node. */ -+ char *next; /* Next node. */ -+ -+#ifdef DEBUG -+ if (scan != NULL && regnarrate) -+ fprintf(stderr, "%s(\n", regprop(scan)); -+#endif -+ while (scan != NULL) { -+#ifdef DEBUG -+ if (regnarrate) -+ fprintf(stderr, "%s...\n", regprop(scan)); -+#endif -+ next = regnext(scan); -+ -+ switch (OP(scan)) { -+ case BOL: -+ if (reginput != regbol) -+ return(0); -+ break; -+ case EOL: -+ if (*reginput != '\0') -+ return(0); -+ break; -+ case ANY: -+ if (*reginput == '\0') -+ return(0); -+ reginput++; -+ break; -+ case EXACTLY: { -+ register int len; -+ register char *opnd; -+ -+ opnd = OPERAND(scan); -+ /* Inline the first character, for speed. */ -+ if (*opnd != *reginput) -+ return(0); -+ len = strlen(opnd); -+ if (len > 1 && strncmp(opnd, reginput, len) != 0) -+ return(0); -+ reginput += len; -+ } -+ break; -+ case ANYOF: -+ if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) == NULL) -+ return(0); -+ reginput++; -+ break; -+ case ANYBUT: -+ if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) != NULL) -+ return(0); -+ reginput++; -+ break; -+ case NOTHING: -+ case BACK: -+ break; -+ case OPEN+1: -+ case OPEN+2: -+ case OPEN+3: -+ case OPEN+4: -+ case OPEN+5: -+ case OPEN+6: -+ case OPEN+7: -+ case OPEN+8: -+ case OPEN+9: { -+ register int no; -+ register char *save; -+ -+ no = OP(scan) - OPEN; -+ save = reginput; -+ -+ if (regmatch(next)) { -+ /* -+ * Don't set startp if some later -+ * invocation of the same parentheses -+ * already has. -+ */ -+ if (regstartp[no] == NULL) -+ regstartp[no] = save; -+ return(1); -+ } else -+ return(0); -+ } -+ break; -+ case CLOSE+1: -+ case CLOSE+2: -+ case CLOSE+3: -+ case CLOSE+4: -+ case CLOSE+5: -+ case CLOSE+6: -+ case CLOSE+7: -+ case CLOSE+8: -+ case CLOSE+9: -+ { -+ register int no; -+ register char *save; -+ -+ no = OP(scan) - CLOSE; -+ save = reginput; -+ -+ if (regmatch(next)) { -+ /* -+ * Don't set endp if some later -+ * invocation of the same parentheses -+ * already has. -+ */ -+ if (regendp[no] == NULL) -+ regendp[no] = save; -+ return(1); -+ } else -+ return(0); -+ } -+ break; -+ case BRANCH: { -+ register char *save; -+ -+ if (OP(next) != BRANCH) /* No choice. */ -+ next = OPERAND(scan); /* Avoid recursion. */ -+ else { -+ do { -+ save = reginput; -+ if (regmatch(OPERAND(scan))) -+ return(1); -+ reginput = save; -+ scan = regnext(scan); -+ } while (scan != NULL && OP(scan) == BRANCH); -+ return(0); -+ /* NOTREACHED */ -+ } -+ } -+ break; -+ case STAR: -+ case PLUS: { -+ register char nextch; -+ register int no; -+ register char *save; -+ register int min; -+ -+ /* -+ * Lookahead to avoid useless match attempts -+ * when we know what character comes next. -+ */ -+ nextch = '\0'; -+ if (OP(next) == EXACTLY) -+ nextch = *OPERAND(next); -+ min = (OP(scan) == STAR) ? 0 : 1; -+ save = reginput; -+ no = regrepeat(OPERAND(scan)); -+ while (no >= min) { -+ /* If it could work, try it. */ -+ if (nextch == '\0' || *reginput == nextch) -+ if (regmatch(next)) -+ return(1); -+ /* Couldn't or didn't -- back up. */ -+ no--; -+ reginput = save + no; -+ } -+ return(0); -+ } -+ break; -+ case END: -+ return(1); /* Success! */ -+ break; -+ default: -+ printk("<3>Regexp: memory corruption\n"); -+ return(0); -+ break; -+ } -+ -+ scan = next; -+ } -+ -+ /* -+ * We get here only if there's trouble -- normally "case END" is -+ * the terminating point. -+ */ -+ printk("<3>Regexp: corrupted pointers\n"); -+ return(0); -+} -+ -+/* -+ - regrepeat - repeatedly match something simple, report how many -+ */ -+static int -+regrepeat(char *p) -+{ -+ register int count = 0; -+ register char *scan; -+ register char *opnd; -+ -+ scan = reginput; -+ opnd = OPERAND(p); -+ switch (OP(p)) { -+ case ANY: -+ count = strlen(scan); -+ scan += count; -+ break; -+ case EXACTLY: -+ while (*opnd == *scan) { -+ count++; -+ scan++; -+ } -+ break; -+ case ANYOF: -+ while (*scan != '\0' && strchr(opnd, *scan) != NULL) { -+ count++; -+ scan++; -+ } -+ break; -+ case ANYBUT: -+ while (*scan != '\0' && strchr(opnd, *scan) == NULL) { -+ count++; -+ scan++; -+ } -+ break; -+ default: /* Oh dear. Called inappropriately. */ -+ printk("<3>Regexp: internal foulup\n"); -+ count = 0; /* Best compromise. */ -+ break; -+ } -+ reginput = scan; -+ -+ return(count); -+} -+ -+/* -+ - regnext - dig the "next" pointer out of a node -+ */ -+static char* -+regnext(char *p) -+{ -+ register int offset; -+ -+ if (p == ®dummy) -+ return(NULL); -+ -+ offset = NEXT(p); -+ if (offset == 0) -+ return(NULL); -+ -+ if (OP(p) == BACK) -+ return(p-offset); -+ else -+ return(p+offset); -+} -+ -+#ifdef DEBUG -+ -+STATIC char *regprop(); -+ -+/* -+ - regdump - dump a regexp onto stdout in vaguely comprehensible form -+ */ -+void -+regdump(regexp *r) -+{ -+ register char *s; -+ register char op = EXACTLY; /* Arbitrary non-END op. */ -+ register char *next; -+ /* extern char *strchr(); */ -+ -+ -+ s = r->program + 1; -+ while (op != END) { /* While that wasn't END last time... */ -+ op = OP(s); -+ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */ -+ next = regnext(s); -+ if (next == NULL) /* Next ptr. */ -+ printf("(0)"); -+ else -+ printf("(%d)", (s-r->program)+(next-s)); -+ s += 3; -+ if (op == ANYOF || op == ANYBUT || op == EXACTLY) { -+ /* Literal string, where present. */ -+ while (*s != '\0') { -+ putchar(*s); -+ s++; -+ } -+ s++; -+ } -+ putchar('\n'); -+ } -+ -+ /* Header fields of interest. */ -+ if (r->regstart != '\0') -+ printf("start `%c' ", r->regstart); -+ if (r->reganch) -+ printf("anchored "); -+ if (r->regmust != NULL) -+ printf("must have \"%s\"", r->regmust); -+ printf("\n"); -+} -+ -+/* -+ - regprop - printable representation of opcode -+ */ -+static char * -+regprop(char *op) -+{ -+#define BUFLEN 50 -+ register char *p; -+ static char buf[BUFLEN]; -+ -+ strcpy(buf, ":"); -+ -+ switch (OP(op)) { -+ case BOL: -+ p = "BOL"; -+ break; -+ case EOL: -+ p = "EOL"; -+ break; -+ case ANY: -+ p = "ANY"; -+ break; -+ case ANYOF: -+ p = "ANYOF"; -+ break; -+ case ANYBUT: -+ p = "ANYBUT"; -+ break; -+ case BRANCH: -+ p = "BRANCH"; -+ break; -+ case EXACTLY: -+ p = "EXACTLY"; -+ break; -+ case NOTHING: -+ p = "NOTHING"; -+ break; -+ case BACK: -+ p = "BACK"; -+ break; -+ case END: -+ p = "END"; -+ break; -+ case OPEN+1: -+ case OPEN+2: -+ case OPEN+3: -+ case OPEN+4: -+ case OPEN+5: -+ case OPEN+6: -+ case OPEN+7: -+ case OPEN+8: -+ case OPEN+9: -+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN); -+ p = NULL; -+ break; -+ case CLOSE+1: -+ case CLOSE+2: -+ case CLOSE+3: -+ case CLOSE+4: -+ case CLOSE+5: -+ case CLOSE+6: -+ case CLOSE+7: -+ case CLOSE+8: -+ case CLOSE+9: -+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE); -+ p = NULL; -+ break; -+ case STAR: -+ p = "STAR"; -+ break; -+ case PLUS: -+ p = "PLUS"; -+ break; -+ default: -+ printk("<3>Regexp: corrupted opcode\n"); -+ break; -+ } -+ if (p != NULL) -+ strncat(buf, p, BUFLEN-strlen(buf)); -+ return(buf); -+} -+#endif -+ -+ -Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h 2007-12-15 05:20:06.040184453 +0100 -@@ -0,0 +1,40 @@ -+/* -+ * Definitions etc. for regexp(3) routines. -+ * -+ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof], -+ * not the System V one. -+ */ -+ -+#ifndef REGEXP_H -+#define REGEXP_H -+ -+/* -+http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h , -+which contains a version of this library, says: -+ -+ * -+ * NSUBEXP must be at least 10, and no greater than 117 or the parser -+ * will not work properly. -+ * -+ -+However, it looks rather like this library is limited to 10. If you think -+otherwise, let us know. -+*/ -+ -+#define NSUBEXP 10 -+typedef struct regexp { -+ char *startp[NSUBEXP]; -+ char *endp[NSUBEXP]; -+ char regstart; /* Internal use only. */ -+ char reganch; /* Internal use only. */ -+ char *regmust; /* Internal use only. */ -+ int regmlen; /* Internal use only. */ -+ char program[1]; /* Unwarranted chumminess with compiler. */ -+} regexp; -+ -+regexp * regcomp(char *exp, int *patternsize); -+int regexec(regexp *prog, char *string); -+void regsub(regexp *prog, char *source, char *dest); -+void regerror(char *s); -+ -+#endif -Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h 2007-12-15 05:20:06.040184453 +0100 -@@ -0,0 +1,5 @@ -+/* -+ * The first byte of the regexp internal "program" is actually this magic -+ * number; the start node begins in the second byte. -+ */ -+#define MAGIC 0234 -Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c 2007-12-15 05:20:06.044184683 +0100 -@@ -0,0 +1,95 @@ -+/* -+ * regsub -+ * @(#)regsub.c 1.3 of 2 April 86 -+ * -+ * Copyright (c) 1986 by University of Toronto. -+ * Written by Henry Spencer. Not derived from licensed software. -+ * -+ * Permission is granted to anyone to use this software for any -+ * purpose on any computer system, and to redistribute it freely, -+ * subject to the following restrictions: -+ * -+ * 1. The author is not responsible for the consequences of use of -+ * this software, no matter how awful, even if they arise -+ * from defects in it. -+ * -+ * 2. The origin of this software must not be misrepresented, either -+ * by explicit claim or by omission. -+ * -+ * 3. Altered versions must be plainly marked as such, and must not -+ * be misrepresented as being the original software. -+ * -+ * -+ * This code was modified by Ethan Sommer to work within the kernel -+ * (it now uses kmalloc etc..) -+ * -+ */ -+#include "regexp.h" -+#include "regmagic.h" -+#include -+ -+ -+#ifndef CHARBITS -+#define UCHARAT(p) ((int)*(unsigned char *)(p)) -+#else -+#define UCHARAT(p) ((int)*(p)&CHARBITS) -+#endif -+ -+#if 0 -+//void regerror(char * s) -+//{ -+// printk("regexp(3): %s", s); -+// /* NOTREACHED */ -+//} -+#endif -+ -+/* -+ - regsub - perform substitutions after a regexp match -+ */ -+void -+regsub(regexp * prog, char * source, char * dest) -+{ -+ register char *src; -+ register char *dst; -+ register char c; -+ register int no; -+ register int len; -+ -+ /* Not necessary and gcc doesn't like it -MLS */ -+ /*extern char *strncpy();*/ -+ -+ if (prog == NULL || source == NULL || dest == NULL) { -+ regerror("NULL parm to regsub"); -+ return; -+ } -+ if (UCHARAT(prog->program) != MAGIC) { -+ regerror("damaged regexp fed to regsub"); -+ return; -+ } -+ -+ src = source; -+ dst = dest; -+ while ((c = *src++) != '\0') { -+ if (c == '&') -+ no = 0; -+ else if (c == '\\' && '0' <= *src && *src <= '9') -+ no = *src++ - '0'; -+ else -+ no = -1; -+ -+ if (no < 0) { /* Ordinary character. */ -+ if (c == '\\' && (*src == '\\' || *src == '&')) -+ c = *src++; -+ *dst++ = c; -+ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) { -+ len = prog->endp[no] - prog->startp[no]; -+ (void) strncpy(dst, prog->startp[no], len); -+ dst += len; -+ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */ -+ regerror("damaged match string"); -+ return; -+ } -+ } -+ } -+ *dst++ = '\0'; -+} diff --git a/target/linux/generic-2.6/config-2.6.22 b/target/linux/generic-2.6/config-2.6.22 index f18508eb1a..c91d1e338b 100644 --- a/target/linux/generic-2.6/config-2.6.22 +++ b/target/linux/generic-2.6/config-2.6.22 @@ -558,8 +558,6 @@ CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_HASHLIMIT=m CONFIG_IP_NF_MATCH_IPP2P=m CONFIG_IP_NF_MATCH_IPRANGE=m -CONFIG_IP_NF_MATCH_LAYER7=m -# CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_SET=m @@ -745,6 +743,8 @@ CONFIG_NETFILTER_XT_MATCH_PORTSCAN=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_LAYER7=m +# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set # CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m diff --git a/target/linux/generic-2.6/config-default b/target/linux/generic-2.6/config-default index d814b01b7d..cbef53671d 100644 --- a/target/linux/generic-2.6/config-default +++ b/target/linux/generic-2.6/config-default @@ -533,8 +533,6 @@ CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_HASHLIMIT=m CONFIG_IP_NF_MATCH_IPP2P=m CONFIG_IP_NF_MATCH_IPRANGE=m -CONFIG_IP_NF_MATCH_LAYER7=m -# CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_SET=m @@ -713,6 +711,8 @@ CONFIG_NETFILTER_XT_MATCH_PORTSCAN=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_LAYER7=m +# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set # CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=y diff --git a/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.17.patch b/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.17.patch new file mode 100644 index 0000000000..bfac6801a6 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.17.patch @@ -0,0 +1,2123 @@ +Index: linux-2.6.22.18/net/netfilter/Kconfig +=================================================================== +--- linux-2.6.22.18.orig/net/netfilter/Kconfig ++++ linux-2.6.22.18/net/netfilter/Kconfig +@@ -603,6 +603,27 @@ config NETFILTER_XT_MATCH_STATE + + To compile it as a module, choose M here. If unsure, say N. + ++config NETFILTER_XT_MATCH_LAYER7 ++ tristate '"layer7" match support' ++ depends on NETFILTER_XTABLES ++ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK) ++ depends on NF_CT_ACCT ++ help ++ Say Y if you want to be able to classify connections (and their ++ packets) based on regular expression matching of their application ++ layer data. This is one way to classify applications such as ++ peer-to-peer filesharing systems that do not always use the same ++ port. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ ++config NETFILTER_XT_MATCH_LAYER7_DEBUG ++ bool 'Layer 7 debugging output' ++ depends on NETFILTER_XT_MATCH_LAYER7 ++ help ++ Say Y to get lots of debugging output. ++ ++ + config NETFILTER_XT_MATCH_STATISTIC + tristate '"statistic" match support' + depends on NETFILTER_XTABLES +Index: linux-2.6.22.18/net/netfilter/Makefile +=================================================================== +--- linux-2.6.22.18.orig/net/netfilter/Makefile ++++ linux-2.6.22.18/net/netfilter/Makefile +@@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) + + obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o + obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o + obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o ++obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o + obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o + obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o + obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o +Index: linux-2.6.22.18/net/netfilter/xt_layer7.c +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/xt_layer7.c +@@ -0,0 +1,634 @@ ++/* ++ Kernel module to match application layer (OSI layer 7) data in connections. ++ ++ http://l7-filter.sf.net ++ ++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer. ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++ ++ Based on ipt_string.c (C) 2000 Emmanuel Roger , ++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait, ++ Ethan Sommer, Justin Levandoski. ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "regexp/regexp.c" ++ ++MODULE_LICENSE("GPL"); ++MODULE_AUTHOR("Matthew Strait , Ethan Sommer "); ++MODULE_DESCRIPTION("iptables application layer match module"); ++MODULE_ALIAS("ipt_layer7"); ++MODULE_VERSION("2.17"); ++ ++static int maxdatalen = 2048; // this is the default ++module_param(maxdatalen, int, 0444); ++MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter"); ++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG ++ #define DPRINTK(format,args...) printk(format,##args) ++#else ++ #define DPRINTK(format,args...) ++#endif ++ ++#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \ ++ master_conntrack->counters[IP_CT_DIR_REPLY].packets ++ ++/* Number of packets whose data we look at. ++This can be modified through /proc/net/layer7_numpackets */ ++static int num_packets = 10; ++ ++static struct pattern_cache { ++ char * regex_string; ++ regexp * pattern; ++ struct pattern_cache * next; ++} * first_pattern_cache = NULL; ++ ++DEFINE_SPINLOCK(l7_lock); ++ ++#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG ++/* Converts an unfriendly string into a friendly one by ++replacing unprintables with periods and all whitespace with " ". */ ++static char * friendly_print(unsigned char * s) ++{ ++ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC); ++ int i; ++ ++ if(!f) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "friendly_print, bailing.\n"); ++ return NULL; ++ } ++ ++ for(i = 0; i < strlen(s); i++){ ++ if(isprint(s[i]) && s[i] < 128) f[i] = s[i]; ++ else if(isspace(s[i])) f[i] = ' '; ++ else f[i] = '.'; ++ } ++ f[i] = '\0'; ++ return f; ++} ++ ++static char dec2hex(int i) ++{ ++ switch (i) { ++ case 0 ... 9: ++ return (i + '0'); ++ break; ++ case 10 ... 15: ++ return (i - 10 + 'a'); ++ break; ++ default: ++ if (net_ratelimit()) ++ printk("layer7: Problem in dec2hex\n"); ++ return '\0'; ++ } ++} ++ ++static char * hex_print(unsigned char * s) ++{ ++ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC); ++ int i; ++ ++ if(!g) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in hex_print, " ++ "bailing.\n"); ++ return NULL; ++ } ++ ++ for(i = 0; i < strlen(s); i++) { ++ g[i*3 ] = dec2hex(s[i]/16); ++ g[i*3 + 1] = dec2hex(s[i]%16); ++ g[i*3 + 2] = ' '; ++ } ++ g[i*3] = '\0'; ++ ++ return g; ++} ++#endif // DEBUG ++ ++/* Use instead of regcomp. As we expect to be seeing the same regexps over and ++over again, it make sense to cache the results. */ ++static regexp * compile_and_cache(const char * regex_string, ++ const char * protocol) ++{ ++ struct pattern_cache * node = first_pattern_cache; ++ struct pattern_cache * last_pattern_cache = first_pattern_cache; ++ struct pattern_cache * tmp; ++ unsigned int len; ++ ++ while (node != NULL) { ++ if (!strcmp(node->regex_string, regex_string)) ++ return node->pattern; ++ ++ last_pattern_cache = node;/* points at the last non-NULL node */ ++ node = node->next; ++ } ++ ++ /* If we reach the end of the list, then we have not yet cached ++ the pattern for this regex. Let's do that now. ++ Be paranoid about running out of memory to avoid list corruption. */ ++ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC); ++ ++ if(!tmp) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "compile_and_cache, bailing.\n"); ++ return NULL; ++ } ++ ++ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC); ++ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC); ++ tmp->next = NULL; ++ ++ if(!tmp->regex_string || !tmp->pattern) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "compile_and_cache, bailing.\n"); ++ kfree(tmp->regex_string); ++ kfree(tmp->pattern); ++ kfree(tmp); ++ return NULL; ++ } ++ ++ /* Ok. The new node is all ready now. */ ++ node = tmp; ++ ++ if(first_pattern_cache == NULL) /* list is empty */ ++ first_pattern_cache = node; /* make node the beginning */ ++ else ++ last_pattern_cache->next = node; /* attach node to the end */ ++ ++ /* copy the string and compile the regex */ ++ len = strlen(regex_string); ++ DPRINTK("About to compile this: \"%s\"\n", regex_string); ++ node->pattern = regcomp((char *)regex_string, &len); ++ if ( !node->pattern ) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: Error compiling regexp " ++ "\"%s\" (%s)\n", ++ regex_string, protocol); ++ /* pattern is now cached as NULL, so we won't try again. */ ++ } ++ ++ strcpy(node->regex_string, regex_string); ++ return node->pattern; ++} ++ ++static int can_handle(const struct sk_buff *skb) ++{ ++ if(!ip_hdr(skb)) /* not IP */ ++ return 0; ++ if(ip_hdr(skb)->protocol != IPPROTO_TCP && ++ ip_hdr(skb)->protocol != IPPROTO_UDP && ++ ip_hdr(skb)->protocol != IPPROTO_ICMP) ++ return 0; ++ return 1; ++} ++ ++/* Returns offset the into the skb->data that the application data starts */ ++static int app_data_offset(const struct sk_buff *skb) ++{ ++ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb) ++ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */ ++ int ip_hl = 4*ip_hdr(skb)->ihl; ++ ++ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) { ++ /* 12 == offset into TCP header for the header length field. ++ Can't get this with skb->h.th->doff because the tcphdr ++ struct doesn't get set when routing (this is confirmed to be ++ true in Netfilter as well as QoS.) */ ++ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4); ++ ++ return ip_hl + tcp_hl; ++ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) { ++ return ip_hl + 8; /* UDP header is always 8 bytes */ ++ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) { ++ return ip_hl + 8; /* ICMP header is 8 bytes */ ++ } else { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: tried to handle unknown " ++ "protocol!\n"); ++ return ip_hl + 8; /* something reasonable */ ++ } ++} ++ ++/* handles whether there's a match when we aren't appending data anymore */ ++static int match_no_append(struct nf_conn * conntrack, ++ struct nf_conn * master_conntrack, ++ enum ip_conntrack_info ctinfo, ++ enum ip_conntrack_info master_ctinfo, ++ const struct xt_layer7_info * info) ++{ ++ /* If we're in here, throw the app data away */ ++ if(master_conntrack->layer7.app_data != NULL) { ++ ++ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG ++ if(!master_conntrack->layer7.app_proto) { ++ char * f = ++ friendly_print(master_conntrack->layer7.app_data); ++ char * g = ++ hex_print(master_conntrack->layer7.app_data); ++ DPRINTK("\nl7-filter gave up after %d bytes " ++ "(%d packets):\n%s\n", ++ strlen(f), TOTAL_PACKETS, f); ++ kfree(f); ++ DPRINTK("In hex: %s\n", g); ++ kfree(g); ++ } ++ #endif ++ ++ kfree(master_conntrack->layer7.app_data); ++ master_conntrack->layer7.app_data = NULL; /* don't free again */ ++ } ++ ++ if(master_conntrack->layer7.app_proto){ ++ /* Here child connections set their .app_proto (for /proc) */ ++ if(!conntrack->layer7.app_proto) { ++ conntrack->layer7.app_proto = ++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1, ++ GFP_ATOMIC); ++ if(!conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory " ++ "in match_no_append, " ++ "bailing.\n"); ++ return 1; ++ } ++ strcpy(conntrack->layer7.app_proto, ++ master_conntrack->layer7.app_proto); ++ } ++ ++ return (!strcmp(master_conntrack->layer7.app_proto, ++ info->protocol)); ++ } ++ else { ++ /* If not classified, set to "unknown" to distinguish from ++ connections that are still being tested. */ ++ master_conntrack->layer7.app_proto = ++ kmalloc(strlen("unknown")+1, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "match_no_append, bailing.\n"); ++ return 1; ++ } ++ strcpy(master_conntrack->layer7.app_proto, "unknown"); ++ return 0; ++ } ++} ++ ++/* add the new app data to the conntrack. Return number of bytes added. */ ++static int add_data(struct nf_conn * master_conntrack, ++ char * app_data, int appdatalen) ++{ ++ int length = 0, i; ++ int oldlength = master_conntrack->layer7.app_data_len; ++ ++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not ++ clear on whether the race condition exists or whether this really ++ fixes it. I might just be being dense... Anyway, if it's not really ++ a fix, all it does is waste a very small amount of time. */ ++ if(!master_conntrack->layer7.app_data) return 0; ++ ++ /* Strip nulls. Make everything lower case (our regex lib doesn't ++ do case insensitivity). Add it to the end of the current data. */ ++ for(i = 0; i < maxdatalen-oldlength-1 && ++ i < appdatalen; i++) { ++ if(app_data[i] != '\0') { ++ /* the kernel version of tolower mungs 'upper ascii' */ ++ master_conntrack->layer7.app_data[length+oldlength] = ++ isascii(app_data[i])? ++ tolower(app_data[i]) : app_data[i]; ++ length++; ++ } ++ } ++ ++ master_conntrack->layer7.app_data[length+oldlength] = '\0'; ++ master_conntrack->layer7.app_data_len = length + oldlength; ++ ++ return length; ++} ++ ++/* taken from drivers/video/modedb.c */ ++static int my_atoi(const char *s) ++{ ++ int val = 0; ++ ++ for (;; s++) { ++ switch (*s) { ++ case '0'...'9': ++ val = 10*val+(*s-'0'); ++ break; ++ default: ++ return val; ++ } ++ } ++} ++ ++/* write out num_packets to userland. */ ++static int layer7_read_proc(char* page, char ** start, off_t off, int count, ++ int* eof, void * data) ++{ ++ if(num_packets > 99 && net_ratelimit()) ++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n"); ++ ++ page[0] = num_packets/10 + '0'; ++ page[1] = num_packets%10 + '0'; ++ page[2] = '\n'; ++ page[3] = '\0'; ++ ++ *eof=1; ++ ++ return 3; ++} ++ ++/* Read in num_packets from userland */ ++static int layer7_write_proc(struct file* file, const char* buffer, ++ unsigned long count, void *data) ++{ ++ char * foo = kmalloc(count, GFP_ATOMIC); ++ ++ if(!foo){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory, bailing. " ++ "num_packets unchanged.\n"); ++ return count; ++ } ++ ++ if(copy_from_user(foo, buffer, count)) { ++ return -EFAULT; ++ } ++ ++ ++ num_packets = my_atoi(foo); ++ kfree (foo); ++ ++ /* This has an arbitrary limit to make the math easier. I'm lazy. ++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */ ++ if(num_packets > 99) { ++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n"); ++ num_packets = 99; ++ } else if(num_packets < 1) { ++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n"); ++ num_packets = 1; ++ } ++ ++ return count; ++} ++ ++static int ++match(const struct sk_buff *skbin, ++ const struct net_device *in, ++ const struct net_device *out, ++ const struct xt_match *match, ++ const void *matchinfo, ++ int offset, ++ unsigned int protoff, ++ int *hotdrop) ++{ ++ /* sidestep const without getting a compiler warning... */ ++ struct sk_buff * skb = (struct sk_buff *)skbin; ++ ++ const struct xt_layer7_info * info = matchinfo; ++ enum ip_conntrack_info master_ctinfo, ctinfo; ++ struct nf_conn *master_conntrack, *conntrack; ++ unsigned char * app_data; ++ unsigned int pattern_result, appdatalen; ++ regexp * comppattern; ++ ++ /* Be paranoid/incompetent - lock the entire match function. */ ++ spin_lock_bh(&l7_lock); ++ ++ if(!can_handle(skb)){ ++ DPRINTK("layer7: This is some protocol I can't handle.\n"); ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ ++ /* Treat parent & all its children together as one connection, except ++ for the purpose of setting conntrack->layer7.app_proto in the actual ++ connection. This makes /proc/net/ip_conntrack more satisfying. */ ++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) || ++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){ ++ DPRINTK("layer7: couldn't get conntrack.\n"); ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ ++ /* Try to get a master conntrack (and its master etc) for FTP, etc. */ ++ while (master_ct(master_conntrack) != NULL) ++ master_conntrack = master_ct(master_conntrack); ++ ++ /* if we've classified it or seen too many packets */ ++ if(TOTAL_PACKETS > num_packets || ++ master_conntrack->layer7.app_proto) { ++ ++ pattern_result = match_no_append(conntrack, master_conntrack, ++ ctinfo, master_ctinfo, info); ++ ++ /* skb->cb[0] == seen. Don't do things twice if there are ++ multiple l7 rules. I'm not sure that using cb for this purpose ++ is correct, even though it says "put your private variables ++ there". But it doesn't look like it is being used for anything ++ else in the skbs that make it here. */ ++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */ ++ ++ spin_unlock_bh(&l7_lock); ++ return (pattern_result ^ info->invert); ++ } ++ ++ if(skb_is_nonlinear(skb)){ ++ if(skb_linearize(skb) != 0){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: failed to linearize " ++ "packet, bailing.\n"); ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ } ++ ++ /* now that the skb is linearized, it's safe to set these. */ ++ app_data = skb->data + app_data_offset(skb); ++ appdatalen = skb_tail_pointer(skb) - app_data; ++ ++ /* the return value gets checked later, when we're ready to use it */ ++ comppattern = compile_and_cache(info->pattern, info->protocol); ++ ++ /* On the first packet of a connection, allocate space for app data */ ++ if(TOTAL_PACKETS == 1 && !skb->cb[0] && ++ !master_conntrack->layer7.app_data){ ++ master_conntrack->layer7.app_data = ++ kmalloc(maxdatalen, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_data){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "match, bailing.\n"); ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ ++ master_conntrack->layer7.app_data[0] = '\0'; ++ } ++ ++ /* Can be here, but unallocated, if numpackets is increased near ++ the beginning of a connection */ ++ if(master_conntrack->layer7.app_data == NULL){ ++ spin_unlock_bh(&l7_lock); ++ return (info->invert); /* unmatched */ ++ } ++ ++ if(!skb->cb[0]){ ++ int newbytes; ++ newbytes = add_data(master_conntrack, app_data, appdatalen); ++ ++ if(newbytes == 0) { /* didn't add any data */ ++ skb->cb[0] = 1; ++ /* Didn't match before, not going to match now */ ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ } ++ ++ /* If looking for "unknown", then never match. "Unknown" means that ++ we've given up; we're still trying with these packets. */ ++ if(!strcmp(info->protocol, "unknown")) { ++ pattern_result = 0; ++ /* If looking for "unset", then always match. "Unset" means that we ++ haven't yet classified the connection. */ ++ } else if(!strcmp(info->protocol, "unset")) { ++ pattern_result = 2; ++ DPRINTK("layer7: matched unset: not yet classified " ++ "(%d/%d packets)\n", TOTAL_PACKETS, num_packets); ++ /* If the regexp failed to compile, don't bother running it */ ++ } else if(comppattern && ++ regexec(comppattern, master_conntrack->layer7.app_data)){ ++ DPRINTK("layer7: matched %s\n", info->protocol); ++ pattern_result = 1; ++ } else pattern_result = 0; ++ ++ if(pattern_result == 1) { ++ master_conntrack->layer7.app_proto = ++ kmalloc(strlen(info->protocol)+1, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "match, bailing.\n"); ++ spin_unlock_bh(&l7_lock); ++ return (pattern_result ^ info->invert); ++ } ++ strcpy(master_conntrack->layer7.app_proto, info->protocol); ++ } else if(pattern_result > 1) { /* cleanup from "unset" */ ++ pattern_result = 1; ++ } ++ ++ /* mark the packet seen */ ++ skb->cb[0] = 1; ++ ++ spin_unlock_bh(&l7_lock); ++ return (pattern_result ^ info->invert); ++} ++ ++static int check(const char *tablename, ++ const void *inf, ++ const struct xt_match *match, ++ void *matchinfo, ++ unsigned int hook_mask) ++ ++{ ++ // load nf_conntrack_ipv4 ++ if (nf_ct_l3proto_try_module_get(match->family) < 0) { ++ printk(KERN_WARNING "can't load conntrack support for " ++ "proto=%d\n", match->family); ++ return false; ++ } ++ return true; ++} ++ ++static void ++destroy(const struct xt_match *match, void *matchinfo) ++{ ++ nf_ct_l3proto_module_put(match->family); ++} ++ ++static struct xt_match xt_layer7_match[] = { ++{ ++ .name = "layer7", ++ .family = AF_INET, ++ .checkentry = check, ++ .match = match, ++ .destroy = destroy, ++ .matchsize = sizeof(struct xt_layer7_info), ++ .me = THIS_MODULE ++} ++}; ++ ++static void layer7_cleanup_proc(void) ++{ ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23) ++ remove_proc_entry("layer7_numpackets", proc_net); ++#else ++ remove_proc_entry("layer7_numpackets", init_net.proc_net); ++#endif ++} ++ ++/* register the proc file */ ++static void layer7_init_proc(void) ++{ ++ struct proc_dir_entry* entry; ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23) ++ entry = create_proc_entry("layer7_numpackets", 0644, proc_net); ++#else ++ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net); ++#endif ++ entry->read_proc = layer7_read_proc; ++ entry->write_proc = layer7_write_proc; ++} ++ ++static int __init xt_layer7_init(void) ++{ ++ need_conntrack(); ++ ++ layer7_init_proc(); ++ if(maxdatalen < 1) { ++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, " ++ "using 1\n"); ++ maxdatalen = 1; ++ } ++ /* This is not a hard limit. It's just here to prevent people from ++ bringing their slow machines to a grinding halt. */ ++ else if(maxdatalen > 65536) { ++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, " ++ "using 65536\n"); ++ maxdatalen = 65536; ++ } ++ return xt_register_matches(xt_layer7_match, ++ ARRAY_SIZE(xt_layer7_match)); ++} ++ ++static void __exit xt_layer7_fini(void) ++{ ++ layer7_cleanup_proc(); ++ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match)); ++} ++ ++module_init(xt_layer7_init); ++module_exit(xt_layer7_fini); +Index: linux-2.6.22.18/net/netfilter/regexp/regexp.c +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/regexp/regexp.c +@@ -0,0 +1,1197 @@ ++/* ++ * regcomp and regexec -- regsub and regerror are elsewhere ++ * @(#)regexp.c 1.3 of 18 April 87 ++ * ++ * Copyright (c) 1986 by University of Toronto. ++ * Written by Henry Spencer. Not derived from licensed software. ++ * ++ * Permission is granted to anyone to use this software for any ++ * purpose on any computer system, and to redistribute it freely, ++ * subject to the following restrictions: ++ * ++ * 1. The author is not responsible for the consequences of use of ++ * this software, no matter how awful, even if they arise ++ * from defects in it. ++ * ++ * 2. The origin of this software must not be misrepresented, either ++ * by explicit claim or by omission. ++ * ++ * 3. Altered versions must be plainly marked as such, and must not ++ * be misrepresented as being the original software. ++ * ++ * Beware that some of this code is subtly aware of the way operator ++ * precedence is structured in regular expressions. Serious changes in ++ * regular-expression syntax might require a total rethink. ++ * ++ * This code was modified by Ethan Sommer to work within the kernel ++ * (it now uses kmalloc etc..) ++ * ++ * Modified slightly by Matthew Strait to use more modern C. ++ */ ++ ++#include "regexp.h" ++#include "regmagic.h" ++ ++/* added by ethan and matt. Lets it work in both kernel and user space. ++(So iptables can use it, for instance.) Yea, it goes both ways... */ ++#if __KERNEL__ ++ #define malloc(foo) kmalloc(foo,GFP_ATOMIC) ++#else ++ #define printk(format,args...) printf(format,##args) ++#endif ++ ++void regerror(char * s) ++{ ++ printk("<3>Regexp: %s\n", s); ++ /* NOTREACHED */ ++} ++ ++/* ++ * The "internal use only" fields in regexp.h are present to pass info from ++ * compile to execute that permits the execute phase to run lots faster on ++ * simple cases. They are: ++ * ++ * regstart char that must begin a match; '\0' if none obvious ++ * reganch is the match anchored (at beginning-of-line only)? ++ * regmust string (pointer into program) that match must include, or NULL ++ * regmlen length of regmust string ++ * ++ * Regstart and reganch permit very fast decisions on suitable starting points ++ * for a match, cutting down the work a lot. Regmust permits fast rejection ++ * of lines that cannot possibly match. The regmust tests are costly enough ++ * that regcomp() supplies a regmust only if the r.e. contains something ++ * potentially expensive (at present, the only such thing detected is * or + ++ * at the start of the r.e., which can involve a lot of backup). Regmlen is ++ * supplied because the test in regexec() needs it and regcomp() is computing ++ * it anyway. ++ */ ++ ++/* ++ * Structure for regexp "program". This is essentially a linear encoding ++ * of a nondeterministic finite-state machine (aka syntax charts or ++ * "railroad normal form" in parsing technology). Each node is an opcode ++ * plus a "next" pointer, possibly plus an operand. "Next" pointers of ++ * all nodes except BRANCH implement concatenation; a "next" pointer with ++ * a BRANCH on both ends of it is connecting two alternatives. (Here we ++ * have one of the subtle syntax dependencies: an individual BRANCH (as ++ * opposed to a collection of them) is never concatenated with anything ++ * because of operator precedence.) The operand of some types of node is ++ * a literal string; for others, it is a node leading into a sub-FSM. In ++ * particular, the operand of a BRANCH node is the first node of the branch. ++ * (NB this is *not* a tree structure: the tail of the branch connects ++ * to the thing following the set of BRANCHes.) The opcodes are: ++ */ ++ ++/* definition number opnd? meaning */ ++#define END 0 /* no End of program. */ ++#define BOL 1 /* no Match "" at beginning of line. */ ++#define EOL 2 /* no Match "" at end of line. */ ++#define ANY 3 /* no Match any one character. */ ++#define ANYOF 4 /* str Match any character in this string. */ ++#define ANYBUT 5 /* str Match any character not in this string. */ ++#define BRANCH 6 /* node Match this alternative, or the next... */ ++#define BACK 7 /* no Match "", "next" ptr points backward. */ ++#define EXACTLY 8 /* str Match this string. */ ++#define NOTHING 9 /* no Match empty string. */ ++#define STAR 10 /* node Match this (simple) thing 0 or more times. */ ++#define PLUS 11 /* node Match this (simple) thing 1 or more times. */ ++#define OPEN 20 /* no Mark this point in input as start of #n. */ ++ /* OPEN+1 is number 1, etc. */ ++#define CLOSE 30 /* no Analogous to OPEN. */ ++ ++/* ++ * Opcode notes: ++ * ++ * BRANCH The set of branches constituting a single choice are hooked ++ * together with their "next" pointers, since precedence prevents ++ * anything being concatenated to any individual branch. The ++ * "next" pointer of the last BRANCH in a choice points to the ++ * thing following the whole choice. This is also where the ++ * final "next" pointer of each individual branch points; each ++ * branch starts with the operand node of a BRANCH node. ++ * ++ * BACK Normal "next" pointers all implicitly point forward; BACK ++ * exists to make loop structures possible. ++ * ++ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular ++ * BRANCH structures using BACK. Simple cases (one character ++ * per match) are implemented with STAR and PLUS for speed ++ * and to minimize recursive plunges. ++ * ++ * OPEN,CLOSE ...are numbered at compile time. ++ */ ++ ++/* ++ * A node is one char of opcode followed by two chars of "next" pointer. ++ * "Next" pointers are stored as two 8-bit pieces, high order first. The ++ * value is a positive offset from the opcode of the node containing it. ++ * An operand, if any, simply follows the node. (Note that much of the ++ * code generation knows about this implicit relationship.) ++ * ++ * Using two bytes for the "next" pointer is vast overkill for most things, ++ * but allows patterns to get big without disasters. ++ */ ++#define OP(p) (*(p)) ++#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377)) ++#define OPERAND(p) ((p) + 3) ++ ++/* ++ * See regmagic.h for one further detail of program structure. ++ */ ++ ++ ++/* ++ * Utility definitions. ++ */ ++#ifndef CHARBITS ++#define UCHARAT(p) ((int)*(unsigned char *)(p)) ++#else ++#define UCHARAT(p) ((int)*(p)&CHARBITS) ++#endif ++ ++#define FAIL(m) { regerror(m); return(NULL); } ++#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?') ++#define META "^$.[()|?+*\\" ++ ++/* ++ * Flags to be passed up and down. ++ */ ++#define HASWIDTH 01 /* Known never to match null string. */ ++#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */ ++#define SPSTART 04 /* Starts with * or +. */ ++#define WORST 0 /* Worst case. */ ++ ++/* ++ * Global work variables for regcomp(). ++ */ ++struct match_globals { ++char *reginput; /* String-input pointer. */ ++char *regbol; /* Beginning of input, for ^ check. */ ++char **regstartp; /* Pointer to startp array. */ ++char **regendp; /* Ditto for endp. */ ++char *regparse; /* Input-scan pointer. */ ++int regnpar; /* () count. */ ++char regdummy; ++char *regcode; /* Code-emit pointer; ®dummy = don't. */ ++long regsize; /* Code size. */ ++}; ++ ++/* ++ * Forward declarations for regcomp()'s friends. ++ */ ++#ifndef STATIC ++#define STATIC static ++#endif ++STATIC char *reg(struct match_globals *g, int paren,int *flagp); ++STATIC char *regbranch(struct match_globals *g, int *flagp); ++STATIC char *regpiece(struct match_globals *g, int *flagp); ++STATIC char *regatom(struct match_globals *g, int *flagp); ++STATIC char *regnode(struct match_globals *g, char op); ++STATIC char *regnext(struct match_globals *g, char *p); ++STATIC void regc(struct match_globals *g, char b); ++STATIC void reginsert(struct match_globals *g, char op, char *opnd); ++STATIC void regtail(struct match_globals *g, char *p, char *val); ++STATIC void regoptail(struct match_globals *g, char *p, char *val); ++ ++ ++__kernel_size_t my_strcspn(const char *s1,const char *s2) ++{ ++ char *scan1; ++ char *scan2; ++ int count; ++ ++ count = 0; ++ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) { ++ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */ ++ if (*scan1 == *scan2++) ++ return(count); ++ count++; ++ } ++ return(count); ++} ++ ++/* ++ - regcomp - compile a regular expression into internal code ++ * ++ * We can't allocate space until we know how big the compiled form will be, ++ * but we can't compile it (and thus know how big it is) until we've got a ++ * place to put the code. So we cheat: we compile it twice, once with code ++ * generation turned off and size counting turned on, and once "for real". ++ * This also means that we don't allocate space until we are sure that the ++ * thing really will compile successfully, and we never have to move the ++ * code and thus invalidate pointers into it. (Note that it has to be in ++ * one piece because free() must be able to free it all.) ++ * ++ * Beware that the optimization-preparation code in here knows about some ++ * of the structure of the compiled regexp. ++ */ ++regexp * ++regcomp(char *exp,int *patternsize) ++{ ++ register regexp *r; ++ register char *scan; ++ register char *longest; ++ register int len; ++ int flags; ++ struct match_globals g; ++ ++ /* commented out by ethan ++ extern char *malloc(); ++ */ ++ ++ if (exp == NULL) ++ FAIL("NULL argument"); ++ ++ /* First pass: determine size, legality. */ ++ g.regparse = exp; ++ g.regnpar = 1; ++ g.regsize = 0L; ++ g.regcode = &g.regdummy; ++ regc(&g, MAGIC); ++ if (reg(&g, 0, &flags) == NULL) ++ return(NULL); ++ ++ /* Small enough for pointer-storage convention? */ ++ if (g.regsize >= 32767L) /* Probably could be 65535L. */ ++ FAIL("regexp too big"); ++ ++ /* Allocate space. */ ++ *patternsize=sizeof(regexp) + (unsigned)g.regsize; ++ r = (regexp *)malloc(sizeof(regexp) + (unsigned)g.regsize); ++ if (r == NULL) ++ FAIL("out of space"); ++ ++ /* Second pass: emit code. */ ++ g.regparse = exp; ++ g.regnpar = 1; ++ g.regcode = r->program; ++ regc(&g, MAGIC); ++ if (reg(&g, 0, &flags) == NULL) ++ return(NULL); ++ ++ /* Dig out information for optimizations. */ ++ r->regstart = '\0'; /* Worst-case defaults. */ ++ r->reganch = 0; ++ r->regmust = NULL; ++ r->regmlen = 0; ++ scan = r->program+1; /* First BRANCH. */ ++ if (OP(regnext(&g, scan)) == END) { /* Only one top-level choice. */ ++ scan = OPERAND(scan); ++ ++ /* Starting-point info. */ ++ if (OP(scan) == EXACTLY) ++ r->regstart = *OPERAND(scan); ++ else if (OP(scan) == BOL) ++ r->reganch++; ++ ++ /* ++ * If there's something expensive in the r.e., find the ++ * longest literal string that must appear and make it the ++ * regmust. Resolve ties in favor of later strings, since ++ * the regstart check works with the beginning of the r.e. ++ * and avoiding duplication strengthens checking. Not a ++ * strong reason, but sufficient in the absence of others. ++ */ ++ if (flags&SPSTART) { ++ longest = NULL; ++ len = 0; ++ for (; scan != NULL; scan = regnext(&g, scan)) ++ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) { ++ longest = OPERAND(scan); ++ len = strlen(OPERAND(scan)); ++ } ++ r->regmust = longest; ++ r->regmlen = len; ++ } ++ } ++ ++ return(r); ++} ++ ++/* ++ - reg - regular expression, i.e. main body or parenthesized thing ++ * ++ * Caller must absorb opening parenthesis. ++ * ++ * Combining parenthesis handling with the base level of regular expression ++ * is a trifle forced, but the need to tie the tails of the branches to what ++ * follows makes it hard to avoid. ++ */ ++static char * ++reg(struct match_globals *g, int paren, int *flagp /* Parenthesized? */ ) ++{ ++ register char *ret; ++ register char *br; ++ register char *ender; ++ register int parno = 0; /* 0 makes gcc happy */ ++ int flags; ++ ++ *flagp = HASWIDTH; /* Tentatively. */ ++ ++ /* Make an OPEN node, if parenthesized. */ ++ if (paren) { ++ if (g->regnpar >= NSUBEXP) ++ FAIL("too many ()"); ++ parno = g->regnpar; ++ g->regnpar++; ++ ret = regnode(g, OPEN+parno); ++ } else ++ ret = NULL; ++ ++ /* Pick up the branches, linking them together. */ ++ br = regbranch(g, &flags); ++ if (br == NULL) ++ return(NULL); ++ if (ret != NULL) ++ regtail(g, ret, br); /* OPEN -> first. */ ++ else ++ ret = br; ++ if (!(flags&HASWIDTH)) ++ *flagp &= ~HASWIDTH; ++ *flagp |= flags&SPSTART; ++ while (*g->regparse == '|') { ++ g->regparse++; ++ br = regbranch(g, &flags); ++ if (br == NULL) ++ return(NULL); ++ regtail(g, ret, br); /* BRANCH -> BRANCH. */ ++ if (!(flags&HASWIDTH)) ++ *flagp &= ~HASWIDTH; ++ *flagp |= flags&SPSTART; ++ } ++ ++ /* Make a closing node, and hook it on the end. */ ++ ender = regnode(g, (paren) ? CLOSE+parno : END); ++ regtail(g, ret, ender); ++ ++ /* Hook the tails of the branches to the closing node. */ ++ for (br = ret; br != NULL; br = regnext(g, br)) ++ regoptail(g, br, ender); ++ ++ /* Check for proper termination. */ ++ if (paren && *g->regparse++ != ')') { ++ FAIL("unmatched ()"); ++ } else if (!paren && *g->regparse != '\0') { ++ if (*g->regparse == ')') { ++ FAIL("unmatched ()"); ++ } else ++ FAIL("junk on end"); /* "Can't happen". */ ++ /* NOTREACHED */ ++ } ++ ++ return(ret); ++} ++ ++/* ++ - regbranch - one alternative of an | operator ++ * ++ * Implements the concatenation operator. ++ */ ++static char * ++regbranch(struct match_globals *g, int *flagp) ++{ ++ register char *ret; ++ register char *chain; ++ register char *latest; ++ int flags; ++ ++ *flagp = WORST; /* Tentatively. */ ++ ++ ret = regnode(g, BRANCH); ++ chain = NULL; ++ while (*g->regparse != '\0' && *g->regparse != '|' && *g->regparse != ')') { ++ latest = regpiece(g, &flags); ++ if (latest == NULL) ++ return(NULL); ++ *flagp |= flags&HASWIDTH; ++ if (chain == NULL) /* First piece. */ ++ *flagp |= flags&SPSTART; ++ else ++ regtail(g, chain, latest); ++ chain = latest; ++ } ++ if (chain == NULL) /* Loop ran zero times. */ ++ (void) regnode(g, NOTHING); ++ ++ return(ret); ++} ++ ++/* ++ - regpiece - something followed by possible [*+?] ++ * ++ * Note that the branching code sequences used for ? and the general cases ++ * of * and + are somewhat optimized: they use the same NOTHING node as ++ * both the endmarker for their branch list and the body of the last branch. ++ * It might seem that this node could be dispensed with entirely, but the ++ * endmarker role is not redundant. ++ */ ++static char * ++regpiece(struct match_globals *g, int *flagp) ++{ ++ register char *ret; ++ register char op; ++ register char *next; ++ int flags; ++ ++ ret = regatom(g, &flags); ++ if (ret == NULL) ++ return(NULL); ++ ++ op = *g->regparse; ++ if (!ISMULT(op)) { ++ *flagp = flags; ++ return(ret); ++ } ++ ++ if (!(flags&HASWIDTH) && op != '?') ++ FAIL("*+ operand could be empty"); ++ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH); ++ ++ if (op == '*' && (flags&SIMPLE)) ++ reginsert(g, STAR, ret); ++ else if (op == '*') { ++ /* Emit x* as (x&|), where & means "self". */ ++ reginsert(g, BRANCH, ret); /* Either x */ ++ regoptail(g, ret, regnode(g, BACK)); /* and loop */ ++ regoptail(g, ret, ret); /* back */ ++ regtail(g, ret, regnode(g, BRANCH)); /* or */ ++ regtail(g, ret, regnode(g, NOTHING)); /* null. */ ++ } else if (op == '+' && (flags&SIMPLE)) ++ reginsert(g, PLUS, ret); ++ else if (op == '+') { ++ /* Emit x+ as x(&|), where & means "self". */ ++ next = regnode(g, BRANCH); /* Either */ ++ regtail(g, ret, next); ++ regtail(g, regnode(g, BACK), ret); /* loop back */ ++ regtail(g, next, regnode(g, BRANCH)); /* or */ ++ regtail(g, ret, regnode(g, NOTHING)); /* null. */ ++ } else if (op == '?') { ++ /* Emit x? as (x|) */ ++ reginsert(g, BRANCH, ret); /* Either x */ ++ regtail(g, ret, regnode(g, BRANCH)); /* or */ ++ next = regnode(g, NOTHING); /* null. */ ++ regtail(g, ret, next); ++ regoptail(g, ret, next); ++ } ++ g->regparse++; ++ if (ISMULT(*g->regparse)) ++ FAIL("nested *?+"); ++ ++ return(ret); ++} ++ ++/* ++ - regatom - the lowest level ++ * ++ * Optimization: gobbles an entire sequence of ordinary characters so that ++ * it can turn them into a single node, which is smaller to store and ++ * faster to run. Backslashed characters are exceptions, each becoming a ++ * separate node; the code is simpler that way and it's not worth fixing. ++ */ ++static char * ++regatom(struct match_globals *g, int *flagp) ++{ ++ register char *ret; ++ int flags; ++ ++ *flagp = WORST; /* Tentatively. */ ++ ++ switch (*g->regparse++) { ++ case '^': ++ ret = regnode(g, BOL); ++ break; ++ case '$': ++ ret = regnode(g, EOL); ++ break; ++ case '.': ++ ret = regnode(g, ANY); ++ *flagp |= HASWIDTH|SIMPLE; ++ break; ++ case '[': { ++ register int class; ++ register int classend; ++ ++ if (*g->regparse == '^') { /* Complement of range. */ ++ ret = regnode(g, ANYBUT); ++ g->regparse++; ++ } else ++ ret = regnode(g, ANYOF); ++ if (*g->regparse == ']' || *g->regparse == '-') ++ regc(g, *g->regparse++); ++ while (*g->regparse != '\0' && *g->regparse != ']') { ++ if (*g->regparse == '-') { ++ g->regparse++; ++ if (*g->regparse == ']' || *g->regparse == '\0') ++ regc(g, '-'); ++ else { ++ class = UCHARAT(g->regparse-2)+1; ++ classend = UCHARAT(g->regparse); ++ if (class > classend+1) ++ FAIL("invalid [] range"); ++ for (; class <= classend; class++) ++ regc(g, class); ++ g->regparse++; ++ } ++ } else ++ regc(g, *g->regparse++); ++ } ++ regc(g, '\0'); ++ if (*g->regparse != ']') ++ FAIL("unmatched []"); ++ g->regparse++; ++ *flagp |= HASWIDTH|SIMPLE; ++ } ++ break; ++ case '(': ++ ret = reg(g, 1, &flags); ++ if (ret == NULL) ++ return(NULL); ++ *flagp |= flags&(HASWIDTH|SPSTART); ++ break; ++ case '\0': ++ case '|': ++ case ')': ++ FAIL("internal urp"); /* Supposed to be caught earlier. */ ++ break; ++ case '?': ++ case '+': ++ case '*': ++ FAIL("?+* follows nothing"); ++ break; ++ case '\\': ++ if (*g->regparse == '\0') ++ FAIL("trailing \\"); ++ ret = regnode(g, EXACTLY); ++ regc(g, *g->regparse++); ++ regc(g, '\0'); ++ *flagp |= HASWIDTH|SIMPLE; ++ break; ++ default: { ++ register int len; ++ register char ender; ++ ++ g->regparse--; ++ len = my_strcspn((const char *)g->regparse, (const char *)META); ++ if (len <= 0) ++ FAIL("internal disaster"); ++ ender = *(g->regparse+len); ++ if (len > 1 && ISMULT(ender)) ++ len--; /* Back off clear of ?+* operand. */ ++ *flagp |= HASWIDTH; ++ if (len == 1) ++ *flagp |= SIMPLE; ++ ret = regnode(g, EXACTLY); ++ while (len > 0) { ++ regc(g, *g->regparse++); ++ len--; ++ } ++ regc(g, '\0'); ++ } ++ break; ++ } ++ ++ return(ret); ++} ++ ++/* ++ - regnode - emit a node ++ */ ++static char * /* Location. */ ++regnode(struct match_globals *g, char op) ++{ ++ register char *ret; ++ register char *ptr; ++ ++ ret = g->regcode; ++ if (ret == &g->regdummy) { ++ g->regsize += 3; ++ return(ret); ++ } ++ ++ ptr = ret; ++ *ptr++ = op; ++ *ptr++ = '\0'; /* Null "next" pointer. */ ++ *ptr++ = '\0'; ++ g->regcode = ptr; ++ ++ return(ret); ++} ++ ++/* ++ - regc - emit (if appropriate) a byte of code ++ */ ++static void ++regc(struct match_globals *g, char b) ++{ ++ if (g->regcode != &g->regdummy) ++ *g->regcode++ = b; ++ else ++ g->regsize++; ++} ++ ++/* ++ - reginsert - insert an operator in front of already-emitted operand ++ * ++ * Means relocating the operand. ++ */ ++static void ++reginsert(struct match_globals *g, char op, char* opnd) ++{ ++ register char *src; ++ register char *dst; ++ register char *place; ++ ++ if (g->regcode == &g->regdummy) { ++ g->regsize += 3; ++ return; ++ } ++ ++ src = g->regcode; ++ g->regcode += 3; ++ dst = g->regcode; ++ while (src > opnd) ++ *--dst = *--src; ++ ++ place = opnd; /* Op node, where operand used to be. */ ++ *place++ = op; ++ *place++ = '\0'; ++ *place++ = '\0'; ++} ++ ++/* ++ - regtail - set the next-pointer at the end of a node chain ++ */ ++static void ++regtail(struct match_globals *g, char *p, char *val) ++{ ++ register char *scan; ++ register char *temp; ++ register int offset; ++ ++ if (p == &g->regdummy) ++ return; ++ ++ /* Find last node. */ ++ scan = p; ++ for (;;) { ++ temp = regnext(g, scan); ++ if (temp == NULL) ++ break; ++ scan = temp; ++ } ++ ++ if (OP(scan) == BACK) ++ offset = scan - val; ++ else ++ offset = val - scan; ++ *(scan+1) = (offset>>8)&0377; ++ *(scan+2) = offset&0377; ++} ++ ++/* ++ - regoptail - regtail on operand of first argument; nop if operandless ++ */ ++static void ++regoptail(struct match_globals *g, char *p, char *val) ++{ ++ /* "Operandless" and "op != BRANCH" are synonymous in practice. */ ++ if (p == NULL || p == &g->regdummy || OP(p) != BRANCH) ++ return; ++ regtail(g, OPERAND(p), val); ++} ++ ++/* ++ * regexec and friends ++ */ ++ ++ ++/* ++ * Forwards. ++ */ ++STATIC int regtry(struct match_globals *g, regexp *prog, char *string); ++STATIC int regmatch(struct match_globals *g, char *prog); ++STATIC int regrepeat(struct match_globals *g, char *p); ++ ++#ifdef DEBUG ++int regnarrate = 0; ++void regdump(); ++STATIC char *regprop(char *op); ++#endif ++ ++/* ++ - regexec - match a regexp against a string ++ */ ++int ++regexec(regexp *prog, char *string) ++{ ++ register char *s; ++ struct match_globals g; ++ ++ /* Be paranoid... */ ++ if (prog == NULL || string == NULL) { ++ printk("<3>Regexp: NULL parameter\n"); ++ return(0); ++ } ++ ++ /* Check validity of program. */ ++ if (UCHARAT(prog->program) != MAGIC) { ++ printk("<3>Regexp: corrupted program\n"); ++ return(0); ++ } ++ ++ /* If there is a "must appear" string, look for it. */ ++ if (prog->regmust != NULL) { ++ s = string; ++ while ((s = strchr(s, prog->regmust[0])) != NULL) { ++ if (strncmp(s, prog->regmust, prog->regmlen) == 0) ++ break; /* Found it. */ ++ s++; ++ } ++ if (s == NULL) /* Not present. */ ++ return(0); ++ } ++ ++ /* Mark beginning of line for ^ . */ ++ g.regbol = string; ++ ++ /* Simplest case: anchored match need be tried only once. */ ++ if (prog->reganch) ++ return(regtry(&g, prog, string)); ++ ++ /* Messy cases: unanchored match. */ ++ s = string; ++ if (prog->regstart != '\0') ++ /* We know what char it must start with. */ ++ while ((s = strchr(s, prog->regstart)) != NULL) { ++ if (regtry(&g, prog, s)) ++ return(1); ++ s++; ++ } ++ else ++ /* We don't -- general case. */ ++ do { ++ if (regtry(&g, prog, s)) ++ return(1); ++ } while (*s++ != '\0'); ++ ++ /* Failure. */ ++ return(0); ++} ++ ++/* ++ - regtry - try match at specific point ++ */ ++static int /* 0 failure, 1 success */ ++regtry(struct match_globals *g, regexp *prog, char *string) ++{ ++ register int i; ++ register char **sp; ++ register char **ep; ++ ++ g->reginput = string; ++ g->regstartp = prog->startp; ++ g->regendp = prog->endp; ++ ++ sp = prog->startp; ++ ep = prog->endp; ++ for (i = NSUBEXP; i > 0; i--) { ++ *sp++ = NULL; ++ *ep++ = NULL; ++ } ++ if (regmatch(g, prog->program + 1)) { ++ prog->startp[0] = string; ++ prog->endp[0] = g->reginput; ++ return(1); ++ } else ++ return(0); ++} ++ ++/* ++ - regmatch - main matching routine ++ * ++ * Conceptually the strategy is simple: check to see whether the current ++ * node matches, call self recursively to see whether the rest matches, ++ * and then act accordingly. In practice we make some effort to avoid ++ * recursion, in particular by going through "ordinary" nodes (that don't ++ * need to know whether the rest of the match failed) by a loop instead of ++ * by recursion. ++ */ ++static int /* 0 failure, 1 success */ ++regmatch(struct match_globals *g, char *prog) ++{ ++ register char *scan = prog; /* Current node. */ ++ char *next; /* Next node. */ ++ ++#ifdef DEBUG ++ if (scan != NULL && regnarrate) ++ fprintf(stderr, "%s(\n", regprop(scan)); ++#endif ++ while (scan != NULL) { ++#ifdef DEBUG ++ if (regnarrate) ++ fprintf(stderr, "%s...\n", regprop(scan)); ++#endif ++ next = regnext(g, scan); ++ ++ switch (OP(scan)) { ++ case BOL: ++ if (g->reginput != g->regbol) ++ return(0); ++ break; ++ case EOL: ++ if (*g->reginput != '\0') ++ return(0); ++ break; ++ case ANY: ++ if (*g->reginput == '\0') ++ return(0); ++ g->reginput++; ++ break; ++ case EXACTLY: { ++ register int len; ++ register char *opnd; ++ ++ opnd = OPERAND(scan); ++ /* Inline the first character, for speed. */ ++ if (*opnd != *g->reginput) ++ return(0); ++ len = strlen(opnd); ++ if (len > 1 && strncmp(opnd, g->reginput, len) != 0) ++ return(0); ++ g->reginput += len; ++ } ++ break; ++ case ANYOF: ++ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) == NULL) ++ return(0); ++ g->reginput++; ++ break; ++ case ANYBUT: ++ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) != NULL) ++ return(0); ++ g->reginput++; ++ break; ++ case NOTHING: ++ case BACK: ++ break; ++ case OPEN+1: ++ case OPEN+2: ++ case OPEN+3: ++ case OPEN+4: ++ case OPEN+5: ++ case OPEN+6: ++ case OPEN+7: ++ case OPEN+8: ++ case OPEN+9: { ++ register int no; ++ register char *save; ++ ++ no = OP(scan) - OPEN; ++ save = g->reginput; ++ ++ if (regmatch(g, next)) { ++ /* ++ * Don't set startp if some later ++ * invocation of the same parentheses ++ * already has. ++ */ ++ if (g->regstartp[no] == NULL) ++ g->regstartp[no] = save; ++ return(1); ++ } else ++ return(0); ++ } ++ break; ++ case CLOSE+1: ++ case CLOSE+2: ++ case CLOSE+3: ++ case CLOSE+4: ++ case CLOSE+5: ++ case CLOSE+6: ++ case CLOSE+7: ++ case CLOSE+8: ++ case CLOSE+9: ++ { ++ register int no; ++ register char *save; ++ ++ no = OP(scan) - CLOSE; ++ save = g->reginput; ++ ++ if (regmatch(g, next)) { ++ /* ++ * Don't set endp if some later ++ * invocation of the same parentheses ++ * already has. ++ */ ++ if (g->regendp[no] == NULL) ++ g->regendp[no] = save; ++ return(1); ++ } else ++ return(0); ++ } ++ break; ++ case BRANCH: { ++ register char *save; ++ ++ if (OP(next) != BRANCH) /* No choice. */ ++ next = OPERAND(scan); /* Avoid recursion. */ ++ else { ++ do { ++ save = g->reginput; ++ if (regmatch(g, OPERAND(scan))) ++ return(1); ++ g->reginput = save; ++ scan = regnext(g, scan); ++ } while (scan != NULL && OP(scan) == BRANCH); ++ return(0); ++ /* NOTREACHED */ ++ } ++ } ++ break; ++ case STAR: ++ case PLUS: { ++ register char nextch; ++ register int no; ++ register char *save; ++ register int min; ++ ++ /* ++ * Lookahead to avoid useless match attempts ++ * when we know what character comes next. ++ */ ++ nextch = '\0'; ++ if (OP(next) == EXACTLY) ++ nextch = *OPERAND(next); ++ min = (OP(scan) == STAR) ? 0 : 1; ++ save = g->reginput; ++ no = regrepeat(g, OPERAND(scan)); ++ while (no >= min) { ++ /* If it could work, try it. */ ++ if (nextch == '\0' || *g->reginput == nextch) ++ if (regmatch(g, next)) ++ return(1); ++ /* Couldn't or didn't -- back up. */ ++ no--; ++ g->reginput = save + no; ++ } ++ return(0); ++ } ++ break; ++ case END: ++ return(1); /* Success! */ ++ break; ++ default: ++ printk("<3>Regexp: memory corruption\n"); ++ return(0); ++ break; ++ } ++ ++ scan = next; ++ } ++ ++ /* ++ * We get here only if there's trouble -- normally "case END" is ++ * the terminating point. ++ */ ++ printk("<3>Regexp: corrupted pointers\n"); ++ return(0); ++} ++ ++/* ++ - regrepeat - repeatedly match something simple, report how many ++ */ ++static int ++regrepeat(struct match_globals *g, char *p) ++{ ++ register int count = 0; ++ register char *scan; ++ register char *opnd; ++ ++ scan = g->reginput; ++ opnd = OPERAND(p); ++ switch (OP(p)) { ++ case ANY: ++ count = strlen(scan); ++ scan += count; ++ break; ++ case EXACTLY: ++ while (*opnd == *scan) { ++ count++; ++ scan++; ++ } ++ break; ++ case ANYOF: ++ while (*scan != '\0' && strchr(opnd, *scan) != NULL) { ++ count++; ++ scan++; ++ } ++ break; ++ case ANYBUT: ++ while (*scan != '\0' && strchr(opnd, *scan) == NULL) { ++ count++; ++ scan++; ++ } ++ break; ++ default: /* Oh dear. Called inappropriately. */ ++ printk("<3>Regexp: internal foulup\n"); ++ count = 0; /* Best compromise. */ ++ break; ++ } ++ g->reginput = scan; ++ ++ return(count); ++} ++ ++/* ++ - regnext - dig the "next" pointer out of a node ++ */ ++static char* ++regnext(struct match_globals *g, char *p) ++{ ++ register int offset; ++ ++ if (p == &g->regdummy) ++ return(NULL); ++ ++ offset = NEXT(p); ++ if (offset == 0) ++ return(NULL); ++ ++ if (OP(p) == BACK) ++ return(p-offset); ++ else ++ return(p+offset); ++} ++ ++#ifdef DEBUG ++ ++STATIC char *regprop(); ++ ++/* ++ - regdump - dump a regexp onto stdout in vaguely comprehensible form ++ */ ++void ++regdump(regexp *r) ++{ ++ register char *s; ++ register char op = EXACTLY; /* Arbitrary non-END op. */ ++ register char *next; ++ /* extern char *strchr(); */ ++ ++ ++ s = r->program + 1; ++ while (op != END) { /* While that wasn't END last time... */ ++ op = OP(s); ++ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */ ++ next = regnext(s); ++ if (next == NULL) /* Next ptr. */ ++ printf("(0)"); ++ else ++ printf("(%d)", (s-r->program)+(next-s)); ++ s += 3; ++ if (op == ANYOF || op == ANYBUT || op == EXACTLY) { ++ /* Literal string, where present. */ ++ while (*s != '\0') { ++ putchar(*s); ++ s++; ++ } ++ s++; ++ } ++ putchar('\n'); ++ } ++ ++ /* Header fields of interest. */ ++ if (r->regstart != '\0') ++ printf("start `%c' ", r->regstart); ++ if (r->reganch) ++ printf("anchored "); ++ if (r->regmust != NULL) ++ printf("must have \"%s\"", r->regmust); ++ printf("\n"); ++} ++ ++/* ++ - regprop - printable representation of opcode ++ */ ++static char * ++regprop(char *op) ++{ ++#define BUFLEN 50 ++ register char *p; ++ static char buf[BUFLEN]; ++ ++ strcpy(buf, ":"); ++ ++ switch (OP(op)) { ++ case BOL: ++ p = "BOL"; ++ break; ++ case EOL: ++ p = "EOL"; ++ break; ++ case ANY: ++ p = "ANY"; ++ break; ++ case ANYOF: ++ p = "ANYOF"; ++ break; ++ case ANYBUT: ++ p = "ANYBUT"; ++ break; ++ case BRANCH: ++ p = "BRANCH"; ++ break; ++ case EXACTLY: ++ p = "EXACTLY"; ++ break; ++ case NOTHING: ++ p = "NOTHING"; ++ break; ++ case BACK: ++ p = "BACK"; ++ break; ++ case END: ++ p = "END"; ++ break; ++ case OPEN+1: ++ case OPEN+2: ++ case OPEN+3: ++ case OPEN+4: ++ case OPEN+5: ++ case OPEN+6: ++ case OPEN+7: ++ case OPEN+8: ++ case OPEN+9: ++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN); ++ p = NULL; ++ break; ++ case CLOSE+1: ++ case CLOSE+2: ++ case CLOSE+3: ++ case CLOSE+4: ++ case CLOSE+5: ++ case CLOSE+6: ++ case CLOSE+7: ++ case CLOSE+8: ++ case CLOSE+9: ++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE); ++ p = NULL; ++ break; ++ case STAR: ++ p = "STAR"; ++ break; ++ case PLUS: ++ p = "PLUS"; ++ break; ++ default: ++ printk("<3>Regexp: corrupted opcode\n"); ++ break; ++ } ++ if (p != NULL) ++ strncat(buf, p, BUFLEN-strlen(buf)); ++ return(buf); ++} ++#endif ++ ++ +Index: linux-2.6.22.18/net/netfilter/regexp/regexp.h +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/regexp/regexp.h +@@ -0,0 +1,41 @@ ++/* ++ * Definitions etc. for regexp(3) routines. ++ * ++ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof], ++ * not the System V one. ++ */ ++ ++#ifndef REGEXP_H ++#define REGEXP_H ++ ++ ++/* ++http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h , ++which contains a version of this library, says: ++ ++ * ++ * NSUBEXP must be at least 10, and no greater than 117 or the parser ++ * will not work properly. ++ * ++ ++However, it looks rather like this library is limited to 10. If you think ++otherwise, let us know. ++*/ ++ ++#define NSUBEXP 10 ++typedef struct regexp { ++ char *startp[NSUBEXP]; ++ char *endp[NSUBEXP]; ++ char regstart; /* Internal use only. */ ++ char reganch; /* Internal use only. */ ++ char *regmust; /* Internal use only. */ ++ int regmlen; /* Internal use only. */ ++ char program[1]; /* Unwarranted chumminess with compiler. */ ++} regexp; ++ ++regexp * regcomp(char *exp, int *patternsize); ++int regexec(regexp *prog, char *string); ++void regsub(regexp *prog, char *source, char *dest); ++void regerror(char *s); ++ ++#endif +Index: linux-2.6.22.18/net/netfilter/regexp/regmagic.h +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/regexp/regmagic.h +@@ -0,0 +1,5 @@ ++/* ++ * The first byte of the regexp internal "program" is actually this magic ++ * number; the start node begins in the second byte. ++ */ ++#define MAGIC 0234 +Index: linux-2.6.22.18/net/netfilter/regexp/regsub.c +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/regexp/regsub.c +@@ -0,0 +1,95 @@ ++/* ++ * regsub ++ * @(#)regsub.c 1.3 of 2 April 86 ++ * ++ * Copyright (c) 1986 by University of Toronto. ++ * Written by Henry Spencer. Not derived from licensed software. ++ * ++ * Permission is granted to anyone to use this software for any ++ * purpose on any computer system, and to redistribute it freely, ++ * subject to the following restrictions: ++ * ++ * 1. The author is not responsible for the consequences of use of ++ * this software, no matter how awful, even if they arise ++ * from defects in it. ++ * ++ * 2. The origin of this software must not be misrepresented, either ++ * by explicit claim or by omission. ++ * ++ * 3. Altered versions must be plainly marked as such, and must not ++ * be misrepresented as being the original software. ++ * ++ * ++ * This code was modified by Ethan Sommer to work within the kernel ++ * (it now uses kmalloc etc..) ++ * ++ */ ++#include "regexp.h" ++#include "regmagic.h" ++#include ++ ++ ++#ifndef CHARBITS ++#define UCHARAT(p) ((int)*(unsigned char *)(p)) ++#else ++#define UCHARAT(p) ((int)*(p)&CHARBITS) ++#endif ++ ++#if 0 ++//void regerror(char * s) ++//{ ++// printk("regexp(3): %s", s); ++// /* NOTREACHED */ ++//} ++#endif ++ ++/* ++ - regsub - perform substitutions after a regexp match ++ */ ++void ++regsub(regexp * prog, char * source, char * dest) ++{ ++ register char *src; ++ register char *dst; ++ register char c; ++ register int no; ++ register int len; ++ ++ /* Not necessary and gcc doesn't like it -MLS */ ++ /*extern char *strncpy();*/ ++ ++ if (prog == NULL || source == NULL || dest == NULL) { ++ regerror("NULL parm to regsub"); ++ return; ++ } ++ if (UCHARAT(prog->program) != MAGIC) { ++ regerror("damaged regexp fed to regsub"); ++ return; ++ } ++ ++ src = source; ++ dst = dest; ++ while ((c = *src++) != '\0') { ++ if (c == '&') ++ no = 0; ++ else if (c == '\\' && '0' <= *src && *src <= '9') ++ no = *src++ - '0'; ++ else ++ no = -1; ++ ++ if (no < 0) { /* Ordinary character. */ ++ if (c == '\\' && (*src == '\\' || *src == '&')) ++ c = *src++; ++ *dst++ = c; ++ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) { ++ len = prog->endp[no] - prog->startp[no]; ++ (void) strncpy(dst, prog->startp[no], len); ++ dst += len; ++ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */ ++ regerror("damaged match string"); ++ return; ++ } ++ } ++ } ++ *dst++ = '\0'; ++} +Index: linux-2.6.22.18/net/netfilter/nf_conntrack_core.c +=================================================================== +--- linux-2.6.22.18.orig/net/netfilter/nf_conntrack_core.c ++++ linux-2.6.22.18/net/netfilter/nf_conntrack_core.c +@@ -330,6 +330,14 @@ destroy_conntrack(struct nf_conntrack *n + * too. */ + nf_ct_remove_expectations(ct); + ++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE) ++ if(ct->layer7.app_proto) ++ kfree(ct->layer7.app_proto); ++ if(ct->layer7.app_data) ++ kfree(ct->layer7.app_data); ++ #endif ++ ++ + /* We overload first tuple to link into unconfirmed list. */ + if (!nf_ct_is_confirmed(ct)) { + BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list)); +Index: linux-2.6.22.18/net/netfilter/nf_conntrack_standalone.c +=================================================================== +--- linux-2.6.22.18.orig/net/netfilter/nf_conntrack_standalone.c ++++ linux-2.6.22.18/net/netfilter/nf_conntrack_standalone.c +@@ -184,7 +184,12 @@ static int ct_seq_show(struct seq_file * + return -ENOSPC; + #endif + +- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) ++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE) ++ if(conntrack->layer7.app_proto) ++ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto)) ++ return -ENOSPC; ++#endif ++ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use))) + return -ENOSPC; + + return 0; +Index: linux-2.6.22.18/include/net/netfilter/nf_conntrack.h +=================================================================== +--- linux-2.6.22.18.orig/include/net/netfilter/nf_conntrack.h ++++ linux-2.6.22.18/include/net/netfilter/nf_conntrack.h +@@ -128,6 +128,22 @@ struct nf_conn + u_int32_t secmark; + #endif + ++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \ ++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE) ++ struct { ++ /* ++ * e.g. "http". NULL before decision. "unknown" after decision ++ * if no match. ++ */ ++ char *app_proto; ++ /* ++ * application layer data so far. NULL after match decision. ++ */ ++ char *app_data; ++ unsigned int app_data_len; ++ } layer7; ++#endif ++ + /* Storage reserved for other modules: */ + union nf_conntrack_proto proto; + +Index: linux-2.6.22.18/include/linux/netfilter/xt_layer7.h +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/include/linux/netfilter/xt_layer7.h +@@ -0,0 +1,13 @@ ++#ifndef _XT_LAYER7_H ++#define _XT_LAYER7_H ++ ++#define MAX_PATTERN_LEN 8192 ++#define MAX_PROTOCOL_LEN 256 ++ ++struct xt_layer7_info { ++ char protocol[MAX_PROTOCOL_LEN]; ++ char pattern[MAX_PATTERN_LEN]; ++ u_int8_t invert; ++}; ++ ++#endif /* _XT_LAYER7_H */ diff --git a/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch b/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch deleted file mode 100644 index 0b16a30313..0000000000 --- a/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch +++ /dev/null @@ -1,2080 +0,0 @@ -Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:43:29.440242750 +0200 -@@ -0,0 +1,26 @@ -+/* -+ By Matthew Strait , Dec 2003. -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+*/ -+ -+#ifndef _IPT_LAYER7_H -+#define _IPT_LAYER7_H -+ -+#define MAX_PATTERN_LEN 8192 -+#define MAX_PROTOCOL_LEN 256 -+ -+typedef char *(*proc_ipt_search) (char *, char, char *); -+ -+struct ipt_layer7_info { -+ char protocol[MAX_PROTOCOL_LEN]; -+ char invert:1; -+ char pattern[MAX_PATTERN_LEN]; -+}; -+ -+#endif /* _IPT_LAYER7_H */ -Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c -=================================================================== ---- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:21.833537750 +0200 -+++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:23.497641750 +0200 -@@ -330,6 +330,13 @@ - * too. */ - nf_ct_remove_expectations(ct); - -+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ if(ct->layer7.app_proto) -+ kfree(ct->layer7.app_proto); -+ if(ct->layer7.app_data) -+ kfree(ct->layer7.app_data); -+ #endif -+ - /* We overload first tuple to link into unconfirmed list. */ - if (!nf_ct_is_confirmed(ct)) { - BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list)); -Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c -=================================================================== ---- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:21.845538500 +0200 -+++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:23.521643250 +0200 -@@ -184,6 +184,12 @@ - return -ENOSPC; - #endif - -+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ if(conntrack->layer7.app_proto) -+ if (seq_printf(s, "l7proto=%s ",conntrack->layer7.app_proto)) -+ return 1; -+#endif -+ - if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) - return -ENOSPC; - -Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:43:44.341174000 +0200 -@@ -0,0 +1,583 @@ -+/* -+ Kernel module to match application layer (OSI layer 7) data in connections. -+ -+ http://l7-filter.sf.net -+ -+ By Matthew Strait and Ethan Sommer, 2003-2006. -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+ -+ Based on ipt_string.c (C) 2000 Emmanuel Roger -+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski -+ -+ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack -+*/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "regexp/regexp.c" -+ -+#include -+#include -+ -+MODULE_AUTHOR("Matthew Strait , Ethan Sommer "); -+MODULE_LICENSE("GPL"); -+MODULE_DESCRIPTION("iptables application layer match module"); -+MODULE_VERSION("2.0"); -+ -+static int maxdatalen = 2048; // this is the default -+module_param(maxdatalen, int, 0444); -+MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter"); -+ -+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+ #define DPRINTK(format,args...) printk(format,##args) -+#else -+ #define DPRINTK(format,args...) -+#endif -+ -+#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \ -+ master_conntrack->counters[IP_CT_DIR_REPLY].packets -+ -+/* Number of packets whose data we look at. -+This can be modified through /proc/net/layer7_numpackets */ -+static int num_packets = 10; -+ -+static struct pattern_cache { -+ char * regex_string; -+ regexp * pattern; -+ struct pattern_cache * next; -+} * first_pattern_cache = NULL; -+ -+/* I'm new to locking. Here are my assumptions: -+ -+- No one will write to /proc/net/layer7_numpackets over and over very fast; -+ if they did, nothing awful would happen. -+ -+- This code will never be processing the same packet twice at the same time, -+ because iptables rules are traversed in order. -+ -+- It doesn't matter if two packets from different connections are in here at -+ the same time, because they don't share any data. -+ -+- It _does_ matter if two packets from the same connection (or one from a -+ master and one from its child) are here at the same time. In this case, -+ we have to protect the conntracks and the list of compiled patterns. -+*/ -+DEFINE_RWLOCK(ct_lock); -+DEFINE_SPINLOCK(list_lock); -+ -+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+/* Converts an unfriendly string into a friendly one by -+replacing unprintables with periods and all whitespace with " ". */ -+static char * friendly_print(unsigned char * s) -+{ -+ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC); -+ int i; -+ -+ if(!f) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n"); -+ return NULL; -+ } -+ -+ for(i = 0; i < strlen(s); i++){ -+ if(isprint(s[i]) && s[i] < 128) f[i] = s[i]; -+ else if(isspace(s[i])) f[i] = ' '; -+ else f[i] = '.'; -+ } -+ f[i] = '\0'; -+ return f; -+} -+ -+static char dec2hex(int i) -+{ -+ switch (i) { -+ case 0 ... 9: -+ return (char)(i + '0'); -+ break; -+ case 10 ... 15: -+ return (char)(i - 10 + 'a'); -+ break; -+ default: -+ if (net_ratelimit()) -+ printk("Problem in dec2hex\n"); -+ return '\0'; -+ } -+} -+ -+static char * hex_print(unsigned char * s) -+{ -+ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC); -+ int i; -+ -+ if(!g) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n"); -+ return NULL; -+ } -+ -+ for(i = 0; i < strlen(s); i++) { -+ g[i*3 ] = dec2hex(s[i]/16); -+ g[i*3 + 1] = dec2hex(s[i]%16); -+ g[i*3 + 2] = ' '; -+ } -+ g[i*3] = '\0'; -+ -+ return g; -+} -+#endif // DEBUG -+ -+/* Use instead of regcomp. As we expect to be seeing the same regexps over and -+over again, it make sense to cache the results. */ -+static regexp * compile_and_cache(char * regex_string, char * protocol) -+{ -+ struct pattern_cache * node = first_pattern_cache; -+ struct pattern_cache * last_pattern_cache = first_pattern_cache; -+ struct pattern_cache * tmp; -+ unsigned int len; -+ -+ while (node != NULL) { -+ if (!strcmp(node->regex_string, regex_string)) -+ return node->pattern; -+ -+ last_pattern_cache = node;/* points at the last non-NULL node */ -+ node = node->next; -+ } -+ -+ /* If we reach the end of the list, then we have not yet cached -+ the pattern for this regex. Let's do that now. -+ Be paranoid about running out of memory to avoid list corruption. */ -+ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC); -+ -+ if(!tmp) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); -+ return NULL; -+ } -+ -+ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC); -+ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC); -+ tmp->next = NULL; -+ -+ if(!tmp->regex_string || !tmp->pattern) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); -+ kfree(tmp->regex_string); -+ kfree(tmp->pattern); -+ kfree(tmp); -+ return NULL; -+ } -+ -+ /* Ok. The new node is all ready now. */ -+ node = tmp; -+ -+ if(first_pattern_cache == NULL) /* list is empty */ -+ first_pattern_cache = node; /* make node the beginning */ -+ else -+ last_pattern_cache->next = node; /* attach node to the end */ -+ -+ /* copy the string and compile the regex */ -+ len = strlen(regex_string); -+ DPRINTK("About to compile this: \"%s\"\n", regex_string); -+ node->pattern = regcomp(regex_string, &len); -+ if ( !node->pattern ) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol); -+ /* pattern is now cached as NULL, so we won't try again. */ -+ } -+ -+ strcpy(node->regex_string, regex_string); -+ return node->pattern; -+} -+ -+static int can_handle(const struct sk_buff *skb) -+{ -+ if(!ip_hdr(skb)) /* not IP */ -+ return 0; -+ if(ip_hdr(skb)->protocol != IPPROTO_TCP && -+ ip_hdr(skb)->protocol != IPPROTO_UDP && -+ ip_hdr(skb)->protocol != IPPROTO_ICMP) -+ return 0; -+ return 1; -+} -+ -+/* Returns offset the into the skb->data that the application data starts */ -+static int app_data_offset(const struct sk_buff *skb) -+{ -+ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb) -+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */ -+ int ip_hl = 4*ip_hdr(skb)->ihl; -+ -+ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) { -+ /* 12 == offset into TCP header for the header length field. -+ Can't get this with skb->h.th->doff because the tcphdr -+ struct doesn't get set when routing (this is confirmed to be -+ true in Netfilter as well as QoS.) */ -+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4); -+ -+ return ip_hl + tcp_hl; -+ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) { -+ return ip_hl + 8; /* UDP header is always 8 bytes */ -+ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) { -+ return ip_hl + 8; /* ICMP header is 8 bytes */ -+ } else { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n"); -+ return ip_hl + 8; /* something reasonable */ -+ } -+} -+ -+/* handles whether there's a match when we aren't appending data anymore */ -+static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack, -+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo, -+ struct ipt_layer7_info * info) -+{ -+ /* If we're in here, throw the app data away */ -+ write_lock(&ct_lock); -+ if(master_conntrack->layer7.app_data != NULL) { -+ -+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+ if(!master_conntrack->layer7.app_proto) { -+ char * f = friendly_print(master_conntrack->layer7.app_data); -+ char * g = hex_print(master_conntrack->layer7.app_data); -+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n", -+ strlen(f), TOTAL_PACKETS, f); -+ kfree(f); -+ DPRINTK("In hex: %s\n", g); -+ kfree(g); -+ } -+ #endif -+ -+ kfree(master_conntrack->layer7.app_data); -+ master_conntrack->layer7.app_data = NULL; /* don't free again */ -+ } -+ write_unlock(&ct_lock); -+ -+ if(master_conntrack->layer7.app_proto){ -+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */ -+ write_lock(&ct_lock); -+ if(!conntrack->layer7.app_proto) { -+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC); -+ if(!conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); -+ write_unlock(&ct_lock); -+ return 1; -+ } -+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto); -+ } -+ write_unlock(&ct_lock); -+ -+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol)); -+ } -+ else { -+ /* If not classified, set to "unknown" to distinguish from -+ connections that are still being tested. */ -+ write_lock(&ct_lock); -+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); -+ write_unlock(&ct_lock); -+ return 1; -+ } -+ strcpy(master_conntrack->layer7.app_proto, "unknown"); -+ write_unlock(&ct_lock); -+ return 0; -+ } -+} -+ -+/* add the new app data to the conntrack. Return number of bytes added. */ -+static int add_data(struct nf_conn * master_conntrack, -+ char * app_data, int appdatalen) -+{ -+ int length = 0, i; -+ int oldlength = master_conntrack->layer7.app_data_len; -+ -+ // This is a fix for a race condition by Deti Fliegl. However, I'm not -+ // clear on whether the race condition exists or whether this really -+ // fixes it. I might just be being dense... Anyway, if it's not really -+ // a fix, all it does is waste a very small amount of time. -+ if(!master_conntrack->layer7.app_data) return 0; -+ -+ /* Strip nulls. Make everything lower case (our regex lib doesn't -+ do case insensitivity). Add it to the end of the current data. */ -+ for(i = 0; i < maxdatalen-oldlength-1 && -+ i < appdatalen; i++) { -+ if(app_data[i] != '\0') { -+ master_conntrack->layer7.app_data[length+oldlength] = -+ /* the kernel version of tolower mungs 'upper ascii' */ -+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; -+ length++; -+ } -+ } -+ -+ master_conntrack->layer7.app_data[length+oldlength] = '\0'; -+ master_conntrack->layer7.app_data_len = length + oldlength; -+ -+ return length; -+} -+ -+/* Returns true on match and false otherwise. */ -+static int match(const struct sk_buff *skbin, -+ const struct net_device *in, const struct net_device *out, -+ const struct xt_match *match, const void *matchinfo, -+ int offset, unsigned int protoff, int *hotdrop) -+{ -+ /* sidestep const without getting a compiler warning... */ -+ struct sk_buff * skb = (struct sk_buff *)skbin; -+ -+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; -+ enum ip_conntrack_info master_ctinfo, ctinfo; -+ struct nf_conn *master_conntrack; -+ struct nf_conn *conntrack; -+ unsigned char * app_data; -+ unsigned int pattern_result, appdatalen; -+ regexp * comppattern; -+ -+ if(!can_handle(skb)){ -+ DPRINTK("layer7: This is some protocol I can't handle.\n"); -+ return info->invert; -+ } -+ -+ /* Treat parent & all its children together as one connection, except -+ for the purpose of setting conntrack->layer7.app_proto in the actual -+ connection. This makes /proc/net/ip_conntrack more satisfying. */ -+ if(((conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) == NULL) || -+ ((master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) { -+ return info->invert; -+ } -+ -+ /* Try to get a master conntrack (and its master etc) for FTP, etc. */ -+ while (master_ct(master_conntrack) != NULL) -+ master_conntrack = master_ct(master_conntrack); -+ -+ /* if we've classified it or seen too many packets */ -+ if(TOTAL_PACKETS > num_packets || -+ master_conntrack->layer7.app_proto) { -+ -+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); -+ -+ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7 -+ rules. I'm not sure that using cb for this purpose is correct, even though -+ it says "put your private variables there". But it doesn't look like it -+ is being used for anything else in the skbs that make it here. */ -+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */ -+ -+ return (pattern_result ^ info->invert); -+ } -+ -+ if(skb_is_nonlinear(skb)){ -+ if(skb_linearize(skb) != 0){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n"); -+ return info->invert; -+ } -+ } -+ -+ /* now that the skb is linearized, it's safe to set these. */ -+ app_data = skb->data + app_data_offset(skb); -+ appdatalen = skb->tail - app_data; -+ -+ spin_lock_bh(&list_lock); -+ /* the return value gets checked later, when we're ready to use it */ -+ comppattern = compile_and_cache(info->pattern, info->protocol); -+ spin_unlock_bh(&list_lock); -+ -+ /* On the first packet of a connection, allocate space for app data */ -+ write_lock(&ct_lock); -+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { -+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_data){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); -+ write_unlock(&ct_lock); -+ return info->invert; -+ } -+ -+ master_conntrack->layer7.app_data[0] = '\0'; -+ } -+ write_unlock(&ct_lock); -+ -+ /* Can be here, but unallocated, if numpackets is increased near -+ the beginning of a connection */ -+ if(master_conntrack->layer7.app_data == NULL) -+ return (info->invert); /* unmatched */ -+ -+ if(!skb->cb[0]){ -+ int newbytes; -+ write_lock(&ct_lock); -+ newbytes = add_data(master_conntrack, app_data, appdatalen); -+ write_unlock(&ct_lock); -+ -+ if(newbytes == 0) { /* didn't add any data */ -+ skb->cb[0] = 1; -+ /* Didn't match before, not going to match now */ -+ return info->invert; -+ } -+ } -+ -+ /* If looking for "unknown", then never match. "Unknown" means that -+ we've given up; we're still trying with these packets. */ -+ read_lock(&ct_lock); -+ if(!strcmp(info->protocol, "unknown")) { -+ pattern_result = 0; -+ /* If looking for "unset", then always match. "Unset" means that we -+ haven't yet classified the connection. */ -+ } else if(!strcmp(info->protocol, "unset")) { -+ pattern_result = 2; -+ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets); -+ /* If the regexp failed to compile, don't bother running it */ -+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) { -+ DPRINTK("layer7: matched %s\n", info->protocol); -+ pattern_result = 1; -+ } else pattern_result = 0; -+ read_unlock(&ct_lock); -+ -+ if(pattern_result == 1) { -+ write_lock(&ct_lock); -+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); -+ write_unlock(&ct_lock); -+ return (pattern_result ^ info->invert); -+ } -+ strcpy(master_conntrack->layer7.app_proto, info->protocol); -+ write_unlock(&ct_lock); -+ } else if(pattern_result > 1) { /* cleanup from "unset" */ -+ pattern_result = 1; -+ } -+ -+ /* mark the packet seen */ -+ skb->cb[0] = 1; -+ -+ return (pattern_result ^ info->invert); -+} -+ -+static struct xt_match layer7_match = { -+ .name = "layer7", -+ .match = &match, -+ .matchsize = sizeof(struct ipt_layer7_info), -+ .family = AF_INET, -+ .me = THIS_MODULE -+}; -+ -+/* taken from drivers/video/modedb.c */ -+static int my_atoi(const char *s) -+{ -+ int val = 0; -+ -+ for (;; s++) { -+ switch (*s) { -+ case '0'...'9': -+ val = 10*val+(*s-'0'); -+ break; -+ default: -+ return val; -+ } -+ } -+} -+ -+/* write out num_packets to userland. */ -+static int layer7_read_proc(char* page, char ** start, off_t off, int count, -+ int* eof, void * data) -+{ -+ if(num_packets > 99 && net_ratelimit()) -+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n"); -+ -+ page[0] = num_packets/10 + '0'; -+ page[1] = num_packets%10 + '0'; -+ page[2] = '\n'; -+ page[3] = '\0'; -+ -+ *eof=1; -+ -+ return 3; -+} -+ -+/* Read in num_packets from userland */ -+static int layer7_write_proc(struct file* file, const char* buffer, -+ unsigned long count, void *data) -+{ -+ char * foo = kmalloc(count, GFP_ATOMIC); -+ -+ if(!foo){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n"); -+ return count; -+ } -+ -+ if(copy_from_user(foo, buffer, count)) { -+ return -EFAULT; -+ } -+ -+ -+ num_packets = my_atoi(foo); -+ kfree (foo); -+ -+ /* This has an arbitrary limit to make the math easier. I'm lazy. -+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */ -+ if(num_packets > 99) { -+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n"); -+ num_packets = 99; -+ } else if(num_packets < 1) { -+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n"); -+ num_packets = 1; -+ } -+ -+ return count; -+} -+ -+/* register the proc file */ -+static void layer7_init_proc(void) -+{ -+ struct proc_dir_entry* entry; -+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net); -+ entry->read_proc = layer7_read_proc; -+ entry->write_proc = layer7_write_proc; -+} -+ -+static void layer7_cleanup_proc(void) -+{ -+ remove_proc_entry("layer7_numpackets", proc_net); -+} -+ -+static int __init ipt_layer7_init(void) -+{ -+ need_conntrack(); -+ -+ layer7_init_proc(); -+ if(maxdatalen < 1) { -+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n"); -+ maxdatalen = 1; -+ } -+ /* This is not a hard limit. It's just here to prevent people from -+ bringing their slow machines to a grinding halt. */ -+ else if(maxdatalen > 65536) { -+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n"); -+ maxdatalen = 65536; -+ } -+ return xt_register_match(&layer7_match); -+} -+ -+static void __exit ipt_layer7_fini(void) -+{ -+ layer7_cleanup_proc(); -+ xt_unregister_match(&layer7_match); -+} -+ -+module_init(ipt_layer7_init); -+module_exit(ipt_layer7_fini); -Index: linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig -=================================================================== ---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Kconfig 2007-07-02 02:16:21.857539250 +0200 -+++ linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig 2007-07-02 03:43:29.324235500 +0200 -@@ -63,6 +63,24 @@ - - To compile it as a module, choose M here. If unsure, say N. - -+config IP_NF_MATCH_LAYER7 -+ tristate "Layer 7 match support (EXPERIMENTAL)" -+ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL -+ help -+ Say Y if you want to be able to classify connections (and their -+ packets) based on regular expression matching of their application -+ layer data. This is one way to classify applications such as -+ peer-to-peer filesharing systems that do not always use the same -+ port. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_MATCH_LAYER7_DEBUG -+ bool "Layer 7 debugging output" -+ depends on IP_NF_MATCH_LAYER7 -+ help -+ Say Y to get lots of debugging output. -+ - config IP_NF_MATCH_TOS - tristate "TOS match support" - depends on IP_NF_IPTABLES -Index: linux-2.6.22-rc6/net/ipv4/netfilter/Makefile -=================================================================== ---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Makefile 2007-07-02 02:16:21.865539750 +0200 -+++ linux-2.6.22-rc6/net/ipv4/netfilter/Makefile 2007-07-02 03:43:29.336236250 +0200 -@@ -50,6 +50,8 @@ - obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o - obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o - -+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o -+ - # targets - obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o - obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o -Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 02:35:33.797531000 +0200 -@@ -0,0 +1,1197 @@ -+/* -+ * regcomp and regexec -- regsub and regerror are elsewhere -+ * @(#)regexp.c 1.3 of 18 April 87 -+ * -+ * Copyright (c) 1986 by University of Toronto. -+ * Written by Henry Spencer. Not derived from licensed software. -+ * -+ * Permission is granted to anyone to use this software for any -+ * purpose on any computer system, and to redistribute it freely, -+ * subject to the following restrictions: -+ * -+ * 1. The author is not responsible for the consequences of use of -+ * this software, no matter how awful, even if they arise -+ * from defects in it. -+ * -+ * 2. The origin of this software must not be misrepresented, either -+ * by explicit claim or by omission. -+ * -+ * 3. Altered versions must be plainly marked as such, and must not -+ * be misrepresented as being the original software. -+ * -+ * Beware that some of this code is subtly aware of the way operator -+ * precedence is structured in regular expressions. Serious changes in -+ * regular-expression syntax might require a total rethink. -+ * -+ * This code was modified by Ethan Sommer to work within the kernel -+ * (it now uses kmalloc etc..) -+ * -+ * Modified slightly by Matthew Strait to use more modern C. -+ */ -+ -+#include "regexp.h" -+#include "regmagic.h" -+ -+/* added by ethan and matt. Lets it work in both kernel and user space. -+(So iptables can use it, for instance.) Yea, it goes both ways... */ -+#if __KERNEL__ -+ #define malloc(foo) kmalloc(foo,GFP_ATOMIC) -+#else -+ #define printk(format,args...) printf(format,##args) -+#endif -+ -+void regerror(char * s) -+{ -+ printk("<3>Regexp: %s\n", s); -+ /* NOTREACHED */ -+} -+ -+/* -+ * The "internal use only" fields in regexp.h are present to pass info from -+ * compile to execute that permits the execute phase to run lots faster on -+ * simple cases. They are: -+ * -+ * regstart char that must begin a match; '\0' if none obvious -+ * reganch is the match anchored (at beginning-of-line only)? -+ * regmust string (pointer into program) that match must include, or NULL -+ * regmlen length of regmust string -+ * -+ * Regstart and reganch permit very fast decisions on suitable starting points -+ * for a match, cutting down the work a lot. Regmust permits fast rejection -+ * of lines that cannot possibly match. The regmust tests are costly enough -+ * that regcomp() supplies a regmust only if the r.e. contains something -+ * potentially expensive (at present, the only such thing detected is * or + -+ * at the start of the r.e., which can involve a lot of backup). Regmlen is -+ * supplied because the test in regexec() needs it and regcomp() is computing -+ * it anyway. -+ */ -+ -+/* -+ * Structure for regexp "program". This is essentially a linear encoding -+ * of a nondeterministic finite-state machine (aka syntax charts or -+ * "railroad normal form" in parsing technology). Each node is an opcode -+ * plus a "next" pointer, possibly plus an operand. "Next" pointers of -+ * all nodes except BRANCH implement concatenation; a "next" pointer with -+ * a BRANCH on both ends of it is connecting two alternatives. (Here we -+ * have one of the subtle syntax dependencies: an individual BRANCH (as -+ * opposed to a collection of them) is never concatenated with anything -+ * because of operator precedence.) The operand of some types of node is -+ * a literal string; for others, it is a node leading into a sub-FSM. In -+ * particular, the operand of a BRANCH node is the first node of the branch. -+ * (NB this is *not* a tree structure: the tail of the branch connects -+ * to the thing following the set of BRANCHes.) The opcodes are: -+ */ -+ -+/* definition number opnd? meaning */ -+#define END 0 /* no End of program. */ -+#define BOL 1 /* no Match "" at beginning of line. */ -+#define EOL 2 /* no Match "" at end of line. */ -+#define ANY 3 /* no Match any one character. */ -+#define ANYOF 4 /* str Match any character in this string. */ -+#define ANYBUT 5 /* str Match any character not in this string. */ -+#define BRANCH 6 /* node Match this alternative, or the next... */ -+#define BACK 7 /* no Match "", "next" ptr points backward. */ -+#define EXACTLY 8 /* str Match this string. */ -+#define NOTHING 9 /* no Match empty string. */ -+#define STAR 10 /* node Match this (simple) thing 0 or more times. */ -+#define PLUS 11 /* node Match this (simple) thing 1 or more times. */ -+#define OPEN 20 /* no Mark this point in input as start of #n. */ -+ /* OPEN+1 is number 1, etc. */ -+#define CLOSE 30 /* no Analogous to OPEN. */ -+ -+/* -+ * Opcode notes: -+ * -+ * BRANCH The set of branches constituting a single choice are hooked -+ * together with their "next" pointers, since precedence prevents -+ * anything being concatenated to any individual branch. The -+ * "next" pointer of the last BRANCH in a choice points to the -+ * thing following the whole choice. This is also where the -+ * final "next" pointer of each individual branch points; each -+ * branch starts with the operand node of a BRANCH node. -+ * -+ * BACK Normal "next" pointers all implicitly point forward; BACK -+ * exists to make loop structures possible. -+ * -+ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular -+ * BRANCH structures using BACK. Simple cases (one character -+ * per match) are implemented with STAR and PLUS for speed -+ * and to minimize recursive plunges. -+ * -+ * OPEN,CLOSE ...are numbered at compile time. -+ */ -+ -+/* -+ * A node is one char of opcode followed by two chars of "next" pointer. -+ * "Next" pointers are stored as two 8-bit pieces, high order first. The -+ * value is a positive offset from the opcode of the node containing it. -+ * An operand, if any, simply follows the node. (Note that much of the -+ * code generation knows about this implicit relationship.) -+ * -+ * Using two bytes for the "next" pointer is vast overkill for most things, -+ * but allows patterns to get big without disasters. -+ */ -+#define OP(p) (*(p)) -+#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377)) -+#define OPERAND(p) ((p) + 3) -+ -+/* -+ * See regmagic.h for one further detail of program structure. -+ */ -+ -+ -+/* -+ * Utility definitions. -+ */ -+#ifndef CHARBITS -+#define UCHARAT(p) ((int)*(unsigned char *)(p)) -+#else -+#define UCHARAT(p) ((int)*(p)&CHARBITS) -+#endif -+ -+#define FAIL(m) { regerror(m); return(NULL); } -+#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?') -+#define META "^$.[()|?+*\\" -+ -+/* -+ * Flags to be passed up and down. -+ */ -+#define HASWIDTH 01 /* Known never to match null string. */ -+#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */ -+#define SPSTART 04 /* Starts with * or +. */ -+#define WORST 0 /* Worst case. */ -+ -+/* -+ * Global work variables for regcomp(). -+ */ -+struct match_globals { -+char *reginput; /* String-input pointer. */ -+char *regbol; /* Beginning of input, for ^ check. */ -+char **regstartp; /* Pointer to startp array. */ -+char **regendp; /* Ditto for endp. */ -+char *regparse; /* Input-scan pointer. */ -+int regnpar; /* () count. */ -+char regdummy; -+char *regcode; /* Code-emit pointer; ®dummy = don't. */ -+long regsize; /* Code size. */ -+}; -+ -+/* -+ * Forward declarations for regcomp()'s friends. -+ */ -+#ifndef STATIC -+#define STATIC static -+#endif -+STATIC char *reg(struct match_globals *g, int paren,int *flagp); -+STATIC char *regbranch(struct match_globals *g, int *flagp); -+STATIC char *regpiece(struct match_globals *g, int *flagp); -+STATIC char *regatom(struct match_globals *g, int *flagp); -+STATIC char *regnode(struct match_globals *g, char op); -+STATIC char *regnext(struct match_globals *g, char *p); -+STATIC void regc(struct match_globals *g, char b); -+STATIC void reginsert(struct match_globals *g, char op, char *opnd); -+STATIC void regtail(struct match_globals *g, char *p, char *val); -+STATIC void regoptail(struct match_globals *g, char *p, char *val); -+ -+ -+__kernel_size_t my_strcspn(const char *s1,const char *s2) -+{ -+ char *scan1; -+ char *scan2; -+ int count; -+ -+ count = 0; -+ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) { -+ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */ -+ if (*scan1 == *scan2++) -+ return(count); -+ count++; -+ } -+ return(count); -+} -+ -+/* -+ - regcomp - compile a regular expression into internal code -+ * -+ * We can't allocate space until we know how big the compiled form will be, -+ * but we can't compile it (and thus know how big it is) until we've got a -+ * place to put the code. So we cheat: we compile it twice, once with code -+ * generation turned off and size counting turned on, and once "for real". -+ * This also means that we don't allocate space until we are sure that the -+ * thing really will compile successfully, and we never have to move the -+ * code and thus invalidate pointers into it. (Note that it has to be in -+ * one piece because free() must be able to free it all.) -+ * -+ * Beware that the optimization-preparation code in here knows about some -+ * of the structure of the compiled regexp. -+ */ -+regexp * -+regcomp(char *exp,int *patternsize) -+{ -+ register regexp *r; -+ register char *scan; -+ register char *longest; -+ register int len; -+ int flags; -+ struct match_globals g; -+ -+ /* commented out by ethan -+ extern char *malloc(); -+ */ -+ -+ if (exp == NULL) -+ FAIL("NULL argument"); -+ -+ /* First pass: determine size, legality. */ -+ g.regparse = exp; -+ g.regnpar = 1; -+ g.regsize = 0L; -+ g.regcode = &g.regdummy; -+ regc(&g, MAGIC); -+ if (reg(&g, 0, &flags) == NULL) -+ return(NULL); -+ -+ /* Small enough for pointer-storage convention? */ -+ if (g.regsize >= 32767L) /* Probably could be 65535L. */ -+ FAIL("regexp too big"); -+ -+ /* Allocate space. */ -+ *patternsize=sizeof(regexp) + (unsigned)g.regsize; -+ r = (regexp *)malloc(sizeof(regexp) + (unsigned)g.regsize); -+ if (r == NULL) -+ FAIL("out of space"); -+ -+ /* Second pass: emit code. */ -+ g.regparse = exp; -+ g.regnpar = 1; -+ g.regcode = r->program; -+ regc(&g, MAGIC); -+ if (reg(&g, 0, &flags) == NULL) -+ return(NULL); -+ -+ /* Dig out information for optimizations. */ -+ r->regstart = '\0'; /* Worst-case defaults. */ -+ r->reganch = 0; -+ r->regmust = NULL; -+ r->regmlen = 0; -+ scan = r->program+1; /* First BRANCH. */ -+ if (OP(regnext(&g, scan)) == END) { /* Only one top-level choice. */ -+ scan = OPERAND(scan); -+ -+ /* Starting-point info. */ -+ if (OP(scan) == EXACTLY) -+ r->regstart = *OPERAND(scan); -+ else if (OP(scan) == BOL) -+ r->reganch++; -+ -+ /* -+ * If there's something expensive in the r.e., find the -+ * longest literal string that must appear and make it the -+ * regmust. Resolve ties in favor of later strings, since -+ * the regstart check works with the beginning of the r.e. -+ * and avoiding duplication strengthens checking. Not a -+ * strong reason, but sufficient in the absence of others. -+ */ -+ if (flags&SPSTART) { -+ longest = NULL; -+ len = 0; -+ for (; scan != NULL; scan = regnext(&g, scan)) -+ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) { -+ longest = OPERAND(scan); -+ len = strlen(OPERAND(scan)); -+ } -+ r->regmust = longest; -+ r->regmlen = len; -+ } -+ } -+ -+ return(r); -+} -+ -+/* -+ - reg - regular expression, i.e. main body or parenthesized thing -+ * -+ * Caller must absorb opening parenthesis. -+ * -+ * Combining parenthesis handling with the base level of regular expression -+ * is a trifle forced, but the need to tie the tails of the branches to what -+ * follows makes it hard to avoid. -+ */ -+static char * -+reg(struct match_globals *g, int paren, int *flagp /* Parenthesized? */ ) -+{ -+ register char *ret; -+ register char *br; -+ register char *ender; -+ register int parno = 0; /* 0 makes gcc happy */ -+ int flags; -+ -+ *flagp = HASWIDTH; /* Tentatively. */ -+ -+ /* Make an OPEN node, if parenthesized. */ -+ if (paren) { -+ if (g->regnpar >= NSUBEXP) -+ FAIL("too many ()"); -+ parno = g->regnpar; -+ g->regnpar++; -+ ret = regnode(g, OPEN+parno); -+ } else -+ ret = NULL; -+ -+ /* Pick up the branches, linking them together. */ -+ br = regbranch(g, &flags); -+ if (br == NULL) -+ return(NULL); -+ if (ret != NULL) -+ regtail(g, ret, br); /* OPEN -> first. */ -+ else -+ ret = br; -+ if (!(flags&HASWIDTH)) -+ *flagp &= ~HASWIDTH; -+ *flagp |= flags&SPSTART; -+ while (*g->regparse == '|') { -+ g->regparse++; -+ br = regbranch(g, &flags); -+ if (br == NULL) -+ return(NULL); -+ regtail(g, ret, br); /* BRANCH -> BRANCH. */ -+ if (!(flags&HASWIDTH)) -+ *flagp &= ~HASWIDTH; -+ *flagp |= flags&SPSTART; -+ } -+ -+ /* Make a closing node, and hook it on the end. */ -+ ender = regnode(g, (paren) ? CLOSE+parno : END); -+ regtail(g, ret, ender); -+ -+ /* Hook the tails of the branches to the closing node. */ -+ for (br = ret; br != NULL; br = regnext(g, br)) -+ regoptail(g, br, ender); -+ -+ /* Check for proper termination. */ -+ if (paren && *g->regparse++ != ')') { -+ FAIL("unmatched ()"); -+ } else if (!paren && *g->regparse != '\0') { -+ if (*g->regparse == ')') { -+ FAIL("unmatched ()"); -+ } else -+ FAIL("junk on end"); /* "Can't happen". */ -+ /* NOTREACHED */ -+ } -+ -+ return(ret); -+} -+ -+/* -+ - regbranch - one alternative of an | operator -+ * -+ * Implements the concatenation operator. -+ */ -+static char * -+regbranch(struct match_globals *g, int *flagp) -+{ -+ register char *ret; -+ register char *chain; -+ register char *latest; -+ int flags; -+ -+ *flagp = WORST; /* Tentatively. */ -+ -+ ret = regnode(g, BRANCH); -+ chain = NULL; -+ while (*g->regparse != '\0' && *g->regparse != '|' && *g->regparse != ')') { -+ latest = regpiece(g, &flags); -+ if (latest == NULL) -+ return(NULL); -+ *flagp |= flags&HASWIDTH; -+ if (chain == NULL) /* First piece. */ -+ *flagp |= flags&SPSTART; -+ else -+ regtail(g, chain, latest); -+ chain = latest; -+ } -+ if (chain == NULL) /* Loop ran zero times. */ -+ (void) regnode(g, NOTHING); -+ -+ return(ret); -+} -+ -+/* -+ - regpiece - something followed by possible [*+?] -+ * -+ * Note that the branching code sequences used for ? and the general cases -+ * of * and + are somewhat optimized: they use the same NOTHING node as -+ * both the endmarker for their branch list and the body of the last branch. -+ * It might seem that this node could be dispensed with entirely, but the -+ * endmarker role is not redundant. -+ */ -+static char * -+regpiece(struct match_globals *g, int *flagp) -+{ -+ register char *ret; -+ register char op; -+ register char *next; -+ int flags; -+ -+ ret = regatom(g, &flags); -+ if (ret == NULL) -+ return(NULL); -+ -+ op = *g->regparse; -+ if (!ISMULT(op)) { -+ *flagp = flags; -+ return(ret); -+ } -+ -+ if (!(flags&HASWIDTH) && op != '?') -+ FAIL("*+ operand could be empty"); -+ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH); -+ -+ if (op == '*' && (flags&SIMPLE)) -+ reginsert(g, STAR, ret); -+ else if (op == '*') { -+ /* Emit x* as (x&|), where & means "self". */ -+ reginsert(g, BRANCH, ret); /* Either x */ -+ regoptail(g, ret, regnode(g, BACK)); /* and loop */ -+ regoptail(g, ret, ret); /* back */ -+ regtail(g, ret, regnode(g, BRANCH)); /* or */ -+ regtail(g, ret, regnode(g, NOTHING)); /* null. */ -+ } else if (op == '+' && (flags&SIMPLE)) -+ reginsert(g, PLUS, ret); -+ else if (op == '+') { -+ /* Emit x+ as x(&|), where & means "self". */ -+ next = regnode(g, BRANCH); /* Either */ -+ regtail(g, ret, next); -+ regtail(g, regnode(g, BACK), ret); /* loop back */ -+ regtail(g, next, regnode(g, BRANCH)); /* or */ -+ regtail(g, ret, regnode(g, NOTHING)); /* null. */ -+ } else if (op == '?') { -+ /* Emit x? as (x|) */ -+ reginsert(g, BRANCH, ret); /* Either x */ -+ regtail(g, ret, regnode(g, BRANCH)); /* or */ -+ next = regnode(g, NOTHING); /* null. */ -+ regtail(g, ret, next); -+ regoptail(g, ret, next); -+ } -+ g->regparse++; -+ if (ISMULT(*g->regparse)) -+ FAIL("nested *?+"); -+ -+ return(ret); -+} -+ -+/* -+ - regatom - the lowest level -+ * -+ * Optimization: gobbles an entire sequence of ordinary characters so that -+ * it can turn them into a single node, which is smaller to store and -+ * faster to run. Backslashed characters are exceptions, each becoming a -+ * separate node; the code is simpler that way and it's not worth fixing. -+ */ -+static char * -+regatom(struct match_globals *g, int *flagp) -+{ -+ register char *ret; -+ int flags; -+ -+ *flagp = WORST; /* Tentatively. */ -+ -+ switch (*g->regparse++) { -+ case '^': -+ ret = regnode(g, BOL); -+ break; -+ case '$': -+ ret = regnode(g, EOL); -+ break; -+ case '.': -+ ret = regnode(g, ANY); -+ *flagp |= HASWIDTH|SIMPLE; -+ break; -+ case '[': { -+ register int class; -+ register int classend; -+ -+ if (*g->regparse == '^') { /* Complement of range. */ -+ ret = regnode(g, ANYBUT); -+ g->regparse++; -+ } else -+ ret = regnode(g, ANYOF); -+ if (*g->regparse == ']' || *g->regparse == '-') -+ regc(g, *g->regparse++); -+ while (*g->regparse != '\0' && *g->regparse != ']') { -+ if (*g->regparse == '-') { -+ g->regparse++; -+ if (*g->regparse == ']' || *g->regparse == '\0') -+ regc(g, '-'); -+ else { -+ class = UCHARAT(g->regparse-2)+1; -+ classend = UCHARAT(g->regparse); -+ if (class > classend+1) -+ FAIL("invalid [] range"); -+ for (; class <= classend; class++) -+ regc(g, class); -+ g->regparse++; -+ } -+ } else -+ regc(g, *g->regparse++); -+ } -+ regc(g, '\0'); -+ if (*g->regparse != ']') -+ FAIL("unmatched []"); -+ g->regparse++; -+ *flagp |= HASWIDTH|SIMPLE; -+ } -+ break; -+ case '(': -+ ret = reg(g, 1, &flags); -+ if (ret == NULL) -+ return(NULL); -+ *flagp |= flags&(HASWIDTH|SPSTART); -+ break; -+ case '\0': -+ case '|': -+ case ')': -+ FAIL("internal urp"); /* Supposed to be caught earlier. */ -+ break; -+ case '?': -+ case '+': -+ case '*': -+ FAIL("?+* follows nothing"); -+ break; -+ case '\\': -+ if (*g->regparse == '\0') -+ FAIL("trailing \\"); -+ ret = regnode(g, EXACTLY); -+ regc(g, *g->regparse++); -+ regc(g, '\0'); -+ *flagp |= HASWIDTH|SIMPLE; -+ break; -+ default: { -+ register int len; -+ register char ender; -+ -+ g->regparse--; -+ len = my_strcspn((const char *)g->regparse, (const char *)META); -+ if (len <= 0) -+ FAIL("internal disaster"); -+ ender = *(g->regparse+len); -+ if (len > 1 && ISMULT(ender)) -+ len--; /* Back off clear of ?+* operand. */ -+ *flagp |= HASWIDTH; -+ if (len == 1) -+ *flagp |= SIMPLE; -+ ret = regnode(g, EXACTLY); -+ while (len > 0) { -+ regc(g, *g->regparse++); -+ len--; -+ } -+ regc(g, '\0'); -+ } -+ break; -+ } -+ -+ return(ret); -+} -+ -+/* -+ - regnode - emit a node -+ */ -+static char * /* Location. */ -+regnode(struct match_globals *g, char op) -+{ -+ register char *ret; -+ register char *ptr; -+ -+ ret = g->regcode; -+ if (ret == &g->regdummy) { -+ g->regsize += 3; -+ return(ret); -+ } -+ -+ ptr = ret; -+ *ptr++ = op; -+ *ptr++ = '\0'; /* Null "next" pointer. */ -+ *ptr++ = '\0'; -+ g->regcode = ptr; -+ -+ return(ret); -+} -+ -+/* -+ - regc - emit (if appropriate) a byte of code -+ */ -+static void -+regc(struct match_globals *g, char b) -+{ -+ if (g->regcode != &g->regdummy) -+ *g->regcode++ = b; -+ else -+ g->regsize++; -+} -+ -+/* -+ - reginsert - insert an operator in front of already-emitted operand -+ * -+ * Means relocating the operand. -+ */ -+static void -+reginsert(struct match_globals *g, char op, char* opnd) -+{ -+ register char *src; -+ register char *dst; -+ register char *place; -+ -+ if (g->regcode == &g->regdummy) { -+ g->regsize += 3; -+ return; -+ } -+ -+ src = g->regcode; -+ g->regcode += 3; -+ dst = g->regcode; -+ while (src > opnd) -+ *--dst = *--src; -+ -+ place = opnd; /* Op node, where operand used to be. */ -+ *place++ = op; -+ *place++ = '\0'; -+ *place++ = '\0'; -+} -+ -+/* -+ - regtail - set the next-pointer at the end of a node chain -+ */ -+static void -+regtail(struct match_globals *g, char *p, char *val) -+{ -+ register char *scan; -+ register char *temp; -+ register int offset; -+ -+ if (p == &g->regdummy) -+ return; -+ -+ /* Find last node. */ -+ scan = p; -+ for (;;) { -+ temp = regnext(g, scan); -+ if (temp == NULL) -+ break; -+ scan = temp; -+ } -+ -+ if (OP(scan) == BACK) -+ offset = scan - val; -+ else -+ offset = val - scan; -+ *(scan+1) = (offset>>8)&0377; -+ *(scan+2) = offset&0377; -+} -+ -+/* -+ - regoptail - regtail on operand of first argument; nop if operandless -+ */ -+static void -+regoptail(struct match_globals *g, char *p, char *val) -+{ -+ /* "Operandless" and "op != BRANCH" are synonymous in practice. */ -+ if (p == NULL || p == &g->regdummy || OP(p) != BRANCH) -+ return; -+ regtail(g, OPERAND(p), val); -+} -+ -+/* -+ * regexec and friends -+ */ -+ -+ -+/* -+ * Forwards. -+ */ -+STATIC int regtry(struct match_globals *g, regexp *prog, char *string); -+STATIC int regmatch(struct match_globals *g, char *prog); -+STATIC int regrepeat(struct match_globals *g, char *p); -+ -+#ifdef DEBUG -+int regnarrate = 0; -+void regdump(); -+STATIC char *regprop(char *op); -+#endif -+ -+/* -+ - regexec - match a regexp against a string -+ */ -+int -+regexec(regexp *prog, char *string) -+{ -+ register char *s; -+ struct match_globals g; -+ -+ /* Be paranoid... */ -+ if (prog == NULL || string == NULL) { -+ printk("<3>Regexp: NULL parameter\n"); -+ return(0); -+ } -+ -+ /* Check validity of program. */ -+ if (UCHARAT(prog->program) != MAGIC) { -+ printk("<3>Regexp: corrupted program\n"); -+ return(0); -+ } -+ -+ /* If there is a "must appear" string, look for it. */ -+ if (prog->regmust != NULL) { -+ s = string; -+ while ((s = strchr(s, prog->regmust[0])) != NULL) { -+ if (strncmp(s, prog->regmust, prog->regmlen) == 0) -+ break; /* Found it. */ -+ s++; -+ } -+ if (s == NULL) /* Not present. */ -+ return(0); -+ } -+ -+ /* Mark beginning of line for ^ . */ -+ g.regbol = string; -+ -+ /* Simplest case: anchored match need be tried only once. */ -+ if (prog->reganch) -+ return(regtry(&g, prog, string)); -+ -+ /* Messy cases: unanchored match. */ -+ s = string; -+ if (prog->regstart != '\0') -+ /* We know what char it must start with. */ -+ while ((s = strchr(s, prog->regstart)) != NULL) { -+ if (regtry(&g, prog, s)) -+ return(1); -+ s++; -+ } -+ else -+ /* We don't -- general case. */ -+ do { -+ if (regtry(&g, prog, s)) -+ return(1); -+ } while (*s++ != '\0'); -+ -+ /* Failure. */ -+ return(0); -+} -+ -+/* -+ - regtry - try match at specific point -+ */ -+static int /* 0 failure, 1 success */ -+regtry(struct match_globals *g, regexp *prog, char *string) -+{ -+ register int i; -+ register char **sp; -+ register char **ep; -+ -+ g->reginput = string; -+ g->regstartp = prog->startp; -+ g->regendp = prog->endp; -+ -+ sp = prog->startp; -+ ep = prog->endp; -+ for (i = NSUBEXP; i > 0; i--) { -+ *sp++ = NULL; -+ *ep++ = NULL; -+ } -+ if (regmatch(g, prog->program + 1)) { -+ prog->startp[0] = string; -+ prog->endp[0] = g->reginput; -+ return(1); -+ } else -+ return(0); -+} -+ -+/* -+ - regmatch - main matching routine -+ * -+ * Conceptually the strategy is simple: check to see whether the current -+ * node matches, call self recursively to see whether the rest matches, -+ * and then act accordingly. In practice we make some effort to avoid -+ * recursion, in particular by going through "ordinary" nodes (that don't -+ * need to know whether the rest of the match failed) by a loop instead of -+ * by recursion. -+ */ -+static int /* 0 failure, 1 success */ -+regmatch(struct match_globals *g, char *prog) -+{ -+ register char *scan = prog; /* Current node. */ -+ char *next; /* Next node. */ -+ -+#ifdef DEBUG -+ if (scan != NULL && regnarrate) -+ fprintf(stderr, "%s(\n", regprop(scan)); -+#endif -+ while (scan != NULL) { -+#ifdef DEBUG -+ if (regnarrate) -+ fprintf(stderr, "%s...\n", regprop(scan)); -+#endif -+ next = regnext(g, scan); -+ -+ switch (OP(scan)) { -+ case BOL: -+ if (g->reginput != g->regbol) -+ return(0); -+ break; -+ case EOL: -+ if (*g->reginput != '\0') -+ return(0); -+ break; -+ case ANY: -+ if (*g->reginput == '\0') -+ return(0); -+ g->reginput++; -+ break; -+ case EXACTLY: { -+ register int len; -+ register char *opnd; -+ -+ opnd = OPERAND(scan); -+ /* Inline the first character, for speed. */ -+ if (*opnd != *g->reginput) -+ return(0); -+ len = strlen(opnd); -+ if (len > 1 && strncmp(opnd, g->reginput, len) != 0) -+ return(0); -+ g->reginput += len; -+ } -+ break; -+ case ANYOF: -+ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) == NULL) -+ return(0); -+ g->reginput++; -+ break; -+ case ANYBUT: -+ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) != NULL) -+ return(0); -+ g->reginput++; -+ break; -+ case NOTHING: -+ case BACK: -+ break; -+ case OPEN+1: -+ case OPEN+2: -+ case OPEN+3: -+ case OPEN+4: -+ case OPEN+5: -+ case OPEN+6: -+ case OPEN+7: -+ case OPEN+8: -+ case OPEN+9: { -+ register int no; -+ register char *save; -+ -+ no = OP(scan) - OPEN; -+ save = g->reginput; -+ -+ if (regmatch(g, next)) { -+ /* -+ * Don't set startp if some later -+ * invocation of the same parentheses -+ * already has. -+ */ -+ if (g->regstartp[no] == NULL) -+ g->regstartp[no] = save; -+ return(1); -+ } else -+ return(0); -+ } -+ break; -+ case CLOSE+1: -+ case CLOSE+2: -+ case CLOSE+3: -+ case CLOSE+4: -+ case CLOSE+5: -+ case CLOSE+6: -+ case CLOSE+7: -+ case CLOSE+8: -+ case CLOSE+9: -+ { -+ register int no; -+ register char *save; -+ -+ no = OP(scan) - CLOSE; -+ save = g->reginput; -+ -+ if (regmatch(g, next)) { -+ /* -+ * Don't set endp if some later -+ * invocation of the same parentheses -+ * already has. -+ */ -+ if (g->regendp[no] == NULL) -+ g->regendp[no] = save; -+ return(1); -+ } else -+ return(0); -+ } -+ break; -+ case BRANCH: { -+ register char *save; -+ -+ if (OP(next) != BRANCH) /* No choice. */ -+ next = OPERAND(scan); /* Avoid recursion. */ -+ else { -+ do { -+ save = g->reginput; -+ if (regmatch(g, OPERAND(scan))) -+ return(1); -+ g->reginput = save; -+ scan = regnext(g, scan); -+ } while (scan != NULL && OP(scan) == BRANCH); -+ return(0); -+ /* NOTREACHED */ -+ } -+ } -+ break; -+ case STAR: -+ case PLUS: { -+ register char nextch; -+ register int no; -+ register char *save; -+ register int min; -+ -+ /* -+ * Lookahead to avoid useless match attempts -+ * when we know what character comes next. -+ */ -+ nextch = '\0'; -+ if (OP(next) == EXACTLY) -+ nextch = *OPERAND(next); -+ min = (OP(scan) == STAR) ? 0 : 1; -+ save = g->reginput; -+ no = regrepeat(g, OPERAND(scan)); -+ while (no >= min) { -+ /* If it could work, try it. */ -+ if (nextch == '\0' || *g->reginput == nextch) -+ if (regmatch(g, next)) -+ return(1); -+ /* Couldn't or didn't -- back up. */ -+ no--; -+ g->reginput = save + no; -+ } -+ return(0); -+ } -+ break; -+ case END: -+ return(1); /* Success! */ -+ break; -+ default: -+ printk("<3>Regexp: memory corruption\n"); -+ return(0); -+ break; -+ } -+ -+ scan = next; -+ } -+ -+ /* -+ * We get here only if there's trouble -- normally "case END" is -+ * the terminating point. -+ */ -+ printk("<3>Regexp: corrupted pointers\n"); -+ return(0); -+} -+ -+/* -+ - regrepeat - repeatedly match something simple, report how many -+ */ -+static int -+regrepeat(struct match_globals *g, char *p) -+{ -+ register int count = 0; -+ register char *scan; -+ register char *opnd; -+ -+ scan = g->reginput; -+ opnd = OPERAND(p); -+ switch (OP(p)) { -+ case ANY: -+ count = strlen(scan); -+ scan += count; -+ break; -+ case EXACTLY: -+ while (*opnd == *scan) { -+ count++; -+ scan++; -+ } -+ break; -+ case ANYOF: -+ while (*scan != '\0' && strchr(opnd, *scan) != NULL) { -+ count++; -+ scan++; -+ } -+ break; -+ case ANYBUT: -+ while (*scan != '\0' && strchr(opnd, *scan) == NULL) { -+ count++; -+ scan++; -+ } -+ break; -+ default: /* Oh dear. Called inappropriately. */ -+ printk("<3>Regexp: internal foulup\n"); -+ count = 0; /* Best compromise. */ -+ break; -+ } -+ g->reginput = scan; -+ -+ return(count); -+} -+ -+/* -+ - regnext - dig the "next" pointer out of a node -+ */ -+static char* -+regnext(struct match_globals *g, char *p) -+{ -+ register int offset; -+ -+ if (p == &g->regdummy) -+ return(NULL); -+ -+ offset = NEXT(p); -+ if (offset == 0) -+ return(NULL); -+ -+ if (OP(p) == BACK) -+ return(p-offset); -+ else -+ return(p+offset); -+} -+ -+#ifdef DEBUG -+ -+STATIC char *regprop(); -+ -+/* -+ - regdump - dump a regexp onto stdout in vaguely comprehensible form -+ */ -+void -+regdump(regexp *r) -+{ -+ register char *s; -+ register char op = EXACTLY; /* Arbitrary non-END op. */ -+ register char *next; -+ /* extern char *strchr(); */ -+ -+ -+ s = r->program + 1; -+ while (op != END) { /* While that wasn't END last time... */ -+ op = OP(s); -+ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */ -+ next = regnext(s); -+ if (next == NULL) /* Next ptr. */ -+ printf("(0)"); -+ else -+ printf("(%d)", (s-r->program)+(next-s)); -+ s += 3; -+ if (op == ANYOF || op == ANYBUT || op == EXACTLY) { -+ /* Literal string, where present. */ -+ while (*s != '\0') { -+ putchar(*s); -+ s++; -+ } -+ s++; -+ } -+ putchar('\n'); -+ } -+ -+ /* Header fields of interest. */ -+ if (r->regstart != '\0') -+ printf("start `%c' ", r->regstart); -+ if (r->reganch) -+ printf("anchored "); -+ if (r->regmust != NULL) -+ printf("must have \"%s\"", r->regmust); -+ printf("\n"); -+} -+ -+/* -+ - regprop - printable representation of opcode -+ */ -+static char * -+regprop(char *op) -+{ -+#define BUFLEN 50 -+ register char *p; -+ static char buf[BUFLEN]; -+ -+ strcpy(buf, ":"); -+ -+ switch (OP(op)) { -+ case BOL: -+ p = "BOL"; -+ break; -+ case EOL: -+ p = "EOL"; -+ break; -+ case ANY: -+ p = "ANY"; -+ break; -+ case ANYOF: -+ p = "ANYOF"; -+ break; -+ case ANYBUT: -+ p = "ANYBUT"; -+ break; -+ case BRANCH: -+ p = "BRANCH"; -+ break; -+ case EXACTLY: -+ p = "EXACTLY"; -+ break; -+ case NOTHING: -+ p = "NOTHING"; -+ break; -+ case BACK: -+ p = "BACK"; -+ break; -+ case END: -+ p = "END"; -+ break; -+ case OPEN+1: -+ case OPEN+2: -+ case OPEN+3: -+ case OPEN+4: -+ case OPEN+5: -+ case OPEN+6: -+ case OPEN+7: -+ case OPEN+8: -+ case OPEN+9: -+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN); -+ p = NULL; -+ break; -+ case CLOSE+1: -+ case CLOSE+2: -+ case CLOSE+3: -+ case CLOSE+4: -+ case CLOSE+5: -+ case CLOSE+6: -+ case CLOSE+7: -+ case CLOSE+8: -+ case CLOSE+9: -+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE); -+ p = NULL; -+ break; -+ case STAR: -+ p = "STAR"; -+ break; -+ case PLUS: -+ p = "PLUS"; -+ break; -+ default: -+ printk("<3>Regexp: corrupted opcode\n"); -+ break; -+ } -+ if (p != NULL) -+ strncat(buf, p, BUFLEN-strlen(buf)); -+ return(buf); -+} -+#endif -+ -+ -Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 02:16:23.677653000 +0200 -@@ -0,0 +1,41 @@ -+/* -+ * Definitions etc. for regexp(3) routines. -+ * -+ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof], -+ * not the System V one. -+ */ -+ -+#ifndef REGEXP_H -+#define REGEXP_H -+ -+ -+/* -+http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h , -+which contains a version of this library, says: -+ -+ * -+ * NSUBEXP must be at least 10, and no greater than 117 or the parser -+ * will not work properly. -+ * -+ -+However, it looks rather like this library is limited to 10. If you think -+otherwise, let us know. -+*/ -+ -+#define NSUBEXP 10 -+typedef struct regexp { -+ char *startp[NSUBEXP]; -+ char *endp[NSUBEXP]; -+ char regstart; /* Internal use only. */ -+ char reganch; /* Internal use only. */ -+ char *regmust; /* Internal use only. */ -+ int regmlen; /* Internal use only. */ -+ char program[1]; /* Unwarranted chumminess with compiler. */ -+} regexp; -+ -+regexp * regcomp(char *exp, int *patternsize); -+int regexec(regexp *prog, char *string); -+void regsub(regexp *prog, char *source, char *dest); -+void regerror(char *s); -+ -+#endif -Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 02:16:23.701654500 +0200 -@@ -0,0 +1,5 @@ -+/* -+ * The first byte of the regexp internal "program" is actually this magic -+ * number; the start node begins in the second byte. -+ */ -+#define MAGIC 0234 -Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 02:35:46.074298250 +0200 -@@ -0,0 +1,95 @@ -+/* -+ * regsub -+ * @(#)regsub.c 1.3 of 2 April 86 -+ * -+ * Copyright (c) 1986 by University of Toronto. -+ * Written by Henry Spencer. Not derived from licensed software. -+ * -+ * Permission is granted to anyone to use this software for any -+ * purpose on any computer system, and to redistribute it freely, -+ * subject to the following restrictions: -+ * -+ * 1. The author is not responsible for the consequences of use of -+ * this software, no matter how awful, even if they arise -+ * from defects in it. -+ * -+ * 2. The origin of this software must not be misrepresented, either -+ * by explicit claim or by omission. -+ * -+ * 3. Altered versions must be plainly marked as such, and must not -+ * be misrepresented as being the original software. -+ * -+ * -+ * This code was modified by Ethan Sommer to work within the kernel -+ * (it now uses kmalloc etc..) -+ * -+ */ -+#include "regexp.h" -+#include "regmagic.h" -+#include -+ -+ -+#ifndef CHARBITS -+#define UCHARAT(p) ((int)*(unsigned char *)(p)) -+#else -+#define UCHARAT(p) ((int)*(p)&CHARBITS) -+#endif -+ -+#if 0 -+//void regerror(char * s) -+//{ -+// printk("regexp(3): %s", s); -+// /* NOTREACHED */ -+//} -+#endif -+ -+/* -+ - regsub - perform substitutions after a regexp match -+ */ -+void -+regsub(regexp * prog, char * source, char * dest) -+{ -+ register char *src; -+ register char *dst; -+ register char c; -+ register int no; -+ register int len; -+ -+ /* Not necessary and gcc doesn't like it -MLS */ -+ /*extern char *strncpy();*/ -+ -+ if (prog == NULL || source == NULL || dest == NULL) { -+ regerror("NULL parm to regsub"); -+ return; -+ } -+ if (UCHARAT(prog->program) != MAGIC) { -+ regerror("damaged regexp fed to regsub"); -+ return; -+ } -+ -+ src = source; -+ dst = dest; -+ while ((c = *src++) != '\0') { -+ if (c == '&') -+ no = 0; -+ else if (c == '\\' && '0' <= *src && *src <= '9') -+ no = *src++ - '0'; -+ else -+ no = -1; -+ -+ if (no < 0) { /* Ordinary character. */ -+ if (c == '\\' && (*src == '\\' || *src == '&')) -+ c = *src++; -+ *dst++ = c; -+ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) { -+ len = prog->endp[no] - prog->startp[no]; -+ (void) strncpy(dst, prog->startp[no], len); -+ dst += len; -+ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */ -+ regerror("damaged match string"); -+ return; -+ } -+ } -+ } -+ *dst++ = '\0'; -+} -Index: linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h -=================================================================== ---- linux-2.6.22-rc6.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:21.825537250 +0200 -+++ linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:23.749657500 +0200 -@@ -128,6 +128,21 @@ - u_int32_t secmark; - #endif - -+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ struct { -+ /* -+ * e.g. "http". NULL before decision. "unknown" after decision -+ * if no match. -+ */ -+ char *app_proto; -+ /* -+ * application layer data so far. NULL after match decision. -+ */ -+ char *app_data; -+ unsigned int app_data_len; -+ } layer7; -+#endif -+ - /* Storage reserved for other modules: */ - union nf_conntrack_proto proto; - diff --git a/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch index 5ac30a7c2e..8f2456ffed 100644 --- a/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch +++ b/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch @@ -1,36 +1,37 @@ -Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h +Index: linux-2.6.22.18/include/linux/netfilter/xt_layer7.h =================================================================== ---- linux-2.6.22-rc6.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:28.597194750 +0200 -+++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:44.730203000 +0200 -@@ -21,6 +21,7 @@ +--- linux-2.6.22.18.orig/include/linux/netfilter/xt_layer7.h ++++ linux-2.6.22.18/include/linux/netfilter/xt_layer7.h +@@ -8,6 +8,7 @@ struct xt_layer7_info { char protocol[MAX_PROTOCOL_LEN]; - char invert:1; char pattern[MAX_PATTERN_LEN]; -+ char pkt; + u_int8_t invert; ++ u_int8_t pkt; }; - #endif /* _IPT_LAYER7_H */ -Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c + #endif /* _XT_LAYER7_H */ +Index: linux-2.6.22.18/net/netfilter/xt_layer7.c =================================================================== ---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:28.609195500 +0200 -+++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:54.234797000 +0200 -@@ -300,33 +300,34 @@ +--- linux-2.6.22.18.orig/net/netfilter/xt_layer7.c ++++ linux-2.6.22.18/net/netfilter/xt_layer7.c +@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con } /* add the new app data to the conntrack. Return number of bytes added. */ -static int add_data(struct nf_conn * master_conntrack, -- char * app_data, int appdatalen) +- char * app_data, int appdatalen) +static int add_datastr(char *target, int offset, char *app_data, int len) { int length = 0, i; - int oldlength = master_conntrack->layer7.app_data_len; - -- // This is a fix for a race condition by Deti Fliegl. However, I'm not -- // clear on whether the race condition exists or whether this really -- // fixes it. I might just be being dense... Anyway, if it's not really -- // a fix, all it does is waste a very small amount of time. +- /* This is a fix for a race condition by Deti Fliegl. However, I'm not +- clear on whether the race condition exists or whether this really +- fixes it. I might just be being dense... Anyway, if it's not really +- a fix, all it does is waste a very small amount of time. */ - if(!master_conntrack->layer7.app_data) return 0; -+ if(!target) return 0; ++ ++ if (!target) return 0; /* Strip nulls. Make everything lower case (our regex lib doesn't do case insensitivity). Add it to the end of the current data. */ @@ -38,15 +39,16 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c - i < appdatalen; i++) { + for(i = 0; i < maxdatalen-offset-1 && i < len; i++) { if(app_data[i] != '\0') { + /* the kernel version of tolower mungs 'upper ascii' */ - master_conntrack->layer7.app_data[length+oldlength] = + target[length+offset] = - /* the kernel version of tolower mungs 'upper ascii' */ - isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; + isascii(app_data[i])? + tolower(app_data[i]) : app_data[i]; length++; } } + target[length+offset] = '\0'; -+ ++ + return length; +} @@ -54,7 +56,7 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c - master_conntrack->layer7.app_data_len = length + oldlength; +/* add the new app data to the conntrack. Return number of bytes added. */ +static int add_data(struct nf_conn * master_conntrack, -+ char * app_data, int appdatalen) ++ char * app_data, int appdatalen) +{ + int length; @@ -63,29 +65,29 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c return length; } -@@ -343,7 +344,7 @@ +@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin, + const struct xt_layer7_info * info = matchinfo; enum ip_conntrack_info master_ctinfo, ctinfo; - struct nf_conn *master_conntrack; - struct nf_conn *conntrack; + struct nf_conn *master_conntrack, *conntrack; - unsigned char * app_data; + unsigned char *app_data, *tmp_data; unsigned int pattern_result, appdatalen; regexp * comppattern; -@@ -365,8 +366,8 @@ +@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin, master_conntrack = master_ct(master_conntrack); /* if we've classified it or seen too many packets */ - if(TOTAL_PACKETS > num_packets || - master_conntrack->layer7.app_proto) { + if(!info->pkt && (TOTAL_PACKETS > num_packets || -+ master_conntrack->layer7.app_proto)) { - - pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); ++ master_conntrack->layer7.app_proto)) { -@@ -396,6 +397,23 @@ + pattern_result = match_no_append(conntrack, master_conntrack, + ctinfo, master_ctinfo, info); +@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin, + /* the return value gets checked later, when we're ready to use it */ comppattern = compile_and_cache(info->pattern, info->protocol); - spin_unlock_bh(&list_lock); + if (info->pkt) { + tmp_data = kmalloc(maxdatalen, GFP_ATOMIC); @@ -98,12 +100,14 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c + tmp_data[0] = '\0'; + add_datastr(tmp_data, 0, app_data, appdatalen); + pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0); ++ + kfree(tmp_data); + tmp_data = NULL; ++ spin_unlock_bh(&l7_lock); + + return (pattern_result ^ info->invert); + } + /* On the first packet of a connection, allocate space for app data */ - write_lock(&ct_lock); - if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { + if(TOTAL_PACKETS == 1 && !skb->cb[0] && + !master_conntrack->layer7.app_data){ diff --git a/target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch b/target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch index 6963ac098e..9a4cb63cd1 100644 --- a/target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch +++ b/target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch @@ -1,6 +1,7 @@ -diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h ---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-05-26 20:21:54.586864296 +0200 +Index: linux-2.6.22.18/include/linux/netfilter_ipv4/ipt_ipp2p.h +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/include/linux/netfilter_ipv4/ipt_ipp2p.h @@ -0,0 +1,31 @@ +#ifndef __IPT_IPP2P_H +#define __IPT_IPP2P_H @@ -33,9 +34,10 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6. +#define IPP2P_MUTE (1 << 14) +#define IPP2P_WASTE (1 << 15) +#define IPP2P_XDCC (1 << 16) -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c 2007-05-26 20:21:54.587864144 +0200 +Index: linux-2.6.22.18/net/ipv4/netfilter/ipt_ipp2p.c +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/ipv4/netfilter/ipt_ipp2p.c @@ -0,0 +1,882 @@ +#if defined(MODVERSIONS) +#include @@ -919,12 +921,13 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/n +module_exit(fini); + + -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig ---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-05-26 20:17:47.626407992 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:21:54.587864144 +0200 -@@ -81,6 +81,12 @@ - help - Say Y to get lots of debugging output. +Index: linux-2.6.22.18/net/ipv4/netfilter/Kconfig +=================================================================== +--- linux-2.6.22.18.orig/net/ipv4/netfilter/Kconfig ++++ linux-2.6.22.18/net/ipv4/netfilter/Kconfig +@@ -63,6 +63,12 @@ config IP_NF_MATCH_IPRANGE + + To compile it as a module, choose M here. If unsure, say N. +config IP_NF_MATCH_IPP2P + tristate "IPP2P" @@ -935,15 +938,15 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/i config IP_NF_MATCH_TOS tristate "TOS match support" depends on IP_NF_IPTABLES -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile ---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-05-26 20:17:47.638406168 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:21:54.588863992 +0200 -@@ -49,7 +49,7 @@ +Index: linux-2.6.22.18/net/ipv4/netfilter/Makefile +=================================================================== +--- linux-2.6.22.18.orig/net/ipv4/netfilter/Makefile ++++ linux-2.6.22.18/net/ipv4/netfilter/Makefile +@@ -49,6 +49,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o -- +obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o - obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o # targets + obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o diff --git a/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables.patch deleted file mode 100644 index 2bc678e961..0000000000 --- a/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables.patch +++ /dev/null @@ -1,958 +0,0 @@ -diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h ---- linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h 2007-05-26 20:40:10.922195992 +0200 -@@ -0,0 +1,5 @@ -+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) -+# include -+#else /* linux-2.6.20+ */ -+# include -+#endif -diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h ---- linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h 2007-05-26 20:40:10.940193256 +0200 -@@ -0,0 +1,14 @@ -+/* Out of tree workarounds */ -+#include -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) -+# define HAVE_MATCHINFOSIZE 1 -+# define HAVE_TARGUSERINFO 1 -+# define HAVE_TARGINFOSIZE 1 -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) -+# define nfmark mark -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) -+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ -+ tcp_v4_check((tcph_sz), (s), (d), (csp)) -+#endif -diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h ---- linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h 2007-05-26 20:40:10.940193256 +0200 -@@ -0,0 +1,14 @@ -+#ifndef _LINUX_XT_CHAOS_H -+#define _LINUX_XT_CHAOS_H 1 -+ -+enum xt_chaos_variant { -+ XTCHAOS_NORMAL, -+ XTCHAOS_TARPIT, -+ XTCHAOS_DELUDE, -+}; -+ -+struct xt_chaos_info { -+ enum xt_chaos_variant variant; -+}; -+ -+#endif /* _LINUX_XT_CHAOS_H */ -diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h ---- linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h 2007-05-26 20:40:10.940193256 +0200 -@@ -0,0 +1,8 @@ -+#ifndef _LINUX_XT_PORTSCAN_H -+#define _LINUX_XT_PORTSCAN_H 1 -+ -+struct xt_portscan_info { -+ unsigned int match_stealth, match_syn, match_cn, match_gr; -+}; -+ -+#endif /* _LINUX_XT_PORTSCAN_H */ -diff -urN linux-2.6.21.1.old/net/netfilter/find_match.c linux-2.6.21.1.dev/net/netfilter/find_match.c ---- linux-2.6.21.1.old/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/netfilter/find_match.c 2007-05-26 20:40:10.970188696 +0200 -@@ -0,0 +1,39 @@ -+/* -+ xt_request_find_match -+ by Jan Engelhardt , 2006 - 2007 -+ -+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c: -+ Copyright (C) 2006-2006 Harald Welte -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+ -+/* -+ * Yeah this code is sub-optimal, but the function is missing in -+ * mainline so far. -jengelh -+ */ -+static struct xt_match *xt_request_find_match_lo(int af, const char *name, -+ u8 revision) -+{ -+ static const char *const xt_prefix[] = { -+ [AF_INET] = "ip", -+ [AF_INET6] = "ip6", -+ [NF_ARP] = "arp", -+ }; -+ struct xt_match *match; -+ -+ match = try_then_request_module(xt_find_match(af, name, revision), -+ "%st_%s", xt_prefix[af], name); -+ if(IS_ERR(match) || match == NULL) -+ return NULL; -+ -+ return match; -+} -+ -+/* In case it goes into mainline, let this out-of-tree package compile */ -+#define xt_request_find_match xt_request_find_match_lo -diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfilter/Kconfig ---- linux-2.6.21.1.old/net/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/netfilter/Kconfig 2007-05-26 20:40:11.003183680 +0200 -@@ -255,6 +255,14 @@ - - # alphabetically ordered list of targets - -+config NETFILTER_XT_TARGET_CHAOS -+ tristate '"CHAOS" target support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a `CHAOS' target. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_TARGET_CLASSIFY - tristate '"CLASSIFY" target support' - depends on NETFILTER_XTABLES -@@ -282,6 +290,14 @@ - . The module will be called - ipt_CONNMARK.ko. If unsure, say `N'. - -+config NETFILTER_XT_TARGET_DELUDE -+ tristate '"DELUDE" target support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a `DELUDE' target. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_TARGET_DSCP - tristate '"DSCP" target support' - depends on NETFILTER_XTABLES -@@ -526,6 +542,14 @@ - - To compile it as a module, choose M here. If unsure, say N. - -+config NETFILTER_XT_MATCH_PORTSCAN -+ tristate '"portscan" match support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a 'portscan' match support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_MATCH_MULTIPORT - tristate "Multiple port match support" - depends on NETFILTER_XTABLES -diff -urN linux-2.6.21.1.old/net/netfilter/Makefile linux-2.6.21.1.dev/net/netfilter/Makefile ---- linux-2.6.21.1.old/net/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/netfilter/Makefile 2007-05-26 20:40:11.003183680 +0200 -@@ -37,8 +37,10 @@ - obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o - - # targets -+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o - obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o - obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o -+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o - obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o - obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o - obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o -@@ -63,6 +65,7 @@ - obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o - obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o - obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o -+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o - obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o - obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o - obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o -diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c ---- linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c 2007-05-26 20:40:11.004183528 +0200 -@@ -0,0 +1,204 @@ -+/* -+ CHAOS target for netfilter -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "find_match.c" -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+/* Module parameters */ -+static unsigned int reject_percentage = ~0U * .01; -+static unsigned int delude_percentage = ~0U * .0101; -+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR); -+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR); -+ -+/* References to other matches/targets */ -+static struct xt_match *xm_tcp; -+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; -+ -+static int have_delude, have_tarpit; -+ -+/* Static data for other matches/targets */ -+static const struct ipt_reject_info reject_params = { -+ .with = ICMP_HOST_UNREACH, -+}; -+ -+static const struct xt_tcp tcp_params = { -+ .spts = {0, ~0}, -+ .dpts = {0, ~0}, -+}; -+ -+/* CHAOS functions */ -+static void xt_chaos_total(const struct xt_chaos_info *info, -+ struct sk_buff **pskb, const struct net_device *in, -+ const struct net_device *out, unsigned int hooknum) -+{ -+ const int protoff = ip_hdrlen(*pskb); -+ const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET; -+ const struct xt_target *destiny; -+ int hotdrop = 0, ret; -+ -+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params, -+ offset, protoff, &hotdrop); -+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage) -+ return; -+ -+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; -+#ifdef HAVE_TARGUSERINFO -+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL); -+#else -+ destiny->target(pskb, in, out, hooknum, destiny, NULL); -+#endif -+ return; -+} -+ -+static unsigned int xt_chaos_target(struct sk_buff **pskb, -+ const struct net_device *in, const struct net_device *out, -+ unsigned int hooknum, const struct xt_target *target, const void *targinfo -+#ifdef HAVE_TARGUSERINFO -+ , -+ void *userinfo -+#endif -+ ) -+{ -+ /* Equivalent to: -+ * -A chaos -m statistic --mode random --probability \ -+ * $reject_percentage -j REJECT --reject-with host-unreach; -+ * -A chaos -p tcp -m statistic --mode random --probability \ -+ * $delude_percentage -j DELUDE; -+ * -A chaos -j DROP; -+ */ -+ const struct xt_chaos_info *info = targinfo; -+ -+ if((unsigned int)net_random() <= reject_percentage) -+#ifdef HAVE_TARGUSERINFO -+ return xt_reject->target(pskb, in, out, hooknum, target, -+ &reject_params, userinfo); -+#else -+ return xt_reject->target(pskb, in, out, hooknum, target, -+ &reject_params); -+#endif -+ -+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ -+ if(ip_hdr(*pskb)->protocol == IPPROTO_TCP && -+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) -+ xt_chaos_total(info, pskb, in, out, hooknum); -+ -+ return NF_DROP; -+} -+ -+static int xt_chaos_checkentry(const char *tablename, const void *entry, -+ const struct xt_target *target, void *targinfo, -+#ifdef HAVE_TARGINFOSIZE -+ unsigned int targinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ const struct xt_chaos_info *info = targinfo; -+ if(info->variant == XTCHAOS_DELUDE && !have_delude) { -+ printk(KERN_WARNING PFX "Error: Cannot use --delude when " -+ "DELUDE module not available\n"); -+ return 0; -+ } -+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) { -+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " -+ "TARPIT module not available\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+static struct xt_target xt_chaos_info = { -+ .name = "CHAOS", -+ .target = xt_chaos_target, -+ .checkentry = xt_chaos_checkentry, -+ .table = "filter", -+ .targetsize = sizeof(struct xt_chaos_info), -+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | -+ (1 << NF_IP_LOCAL_OUT), -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_chaos_init(void) -+{ -+ int ret = -EINVAL; -+ -+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); -+ if(xm_tcp == NULL) { -+ printk(KERN_WARNING PFX "Error: Could not find or load " -+ "\"tcp\" match\n"); -+ return -EINVAL; -+ } -+ -+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); -+ if(xt_reject == NULL) { -+ printk(KERN_WARNING PFX "Error: Could not find or load " -+ "\"REJECT\" target\n"); -+ goto out2; -+ } -+ -+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); -+ have_tarpit = xt_tarpit != NULL; -+ if(!have_tarpit) -+ printk(KERN_WARNING PFX "Warning: Could not find or load " -+ "\"TARPIT\" target\n"); -+ -+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); -+ have_delude = xt_delude != NULL; -+ if(!have_delude) -+ printk(KERN_WARNING PFX "Warning: Could not find or load " -+ "\"DELUDE\" target\n"); -+ -+ if((ret = xt_register_target(&xt_chaos_info)) != 0) { -+ printk(KERN_WARNING PFX "xt_register_target returned " -+ "error %d\n", ret); -+ goto out3; -+ } -+ -+ return 0; -+ -+ out3: -+ if(have_delude) -+ module_put(xt_delude->me); -+ if(have_tarpit) -+ module_put(xt_tarpit->me); -+ module_put(xt_reject->me); -+ out2: -+ module_put(xm_tcp->me); -+ return ret; -+} -+ -+static void __exit xt_chaos_exit(void) -+{ -+ xt_unregister_target(&xt_chaos_info); -+ module_put(xm_tcp->me); -+ module_put(xt_reject->me); -+ if(have_delude) -+ module_put(xt_delude->me); -+ if(have_tarpit) -+ module_put(xt_tarpit->me); -+ return; -+} -+ -+module_init(xt_chaos_init); -+module_exit(xt_chaos_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter CHAOS target"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_CHAOS"); -diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c ---- linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c 2007-05-26 20:40:11.004183528 +0200 -@@ -0,0 +1,288 @@ -+/* -+ DELUDE target -+ Copyright © Jan Engelhardt , 2007 -+ -+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: -+ (C) 1999-2001 Paul `Rusty' Russell -+ (C) 2002-2004 Netfilter Core Team -+ -+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef CONFIG_BRIDGE_NETFILTER -+# include -+#endif -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+static inline struct rtable *route_reverse(struct sk_buff *skb, -+ struct tcphdr *tcph, int hook) -+{ -+ struct iphdr *iph = ip_hdr(skb); -+ struct dst_entry *odst; -+ struct flowi fl = {}; -+ struct rtable *rt; -+ -+ /* We don't require ip forwarding to be enabled to be able to -+ * send a RST reply for bridged traffic. */ -+ if (hook != NF_IP_FORWARD -+#ifdef CONFIG_BRIDGE_NETFILTER -+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED) -+#endif -+ ) { -+ fl.nl_u.ip4_u.daddr = iph->saddr; -+ if (hook == NF_IP_LOCAL_IN) -+ fl.nl_u.ip4_u.saddr = iph->daddr; -+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); -+ -+ if (ip_route_output_key(&rt, &fl) != 0) -+ return NULL; -+ } else { -+ /* non-local src, find valid iif to satisfy -+ * rp-filter when calling ip_route_input. */ -+ fl.nl_u.ip4_u.daddr = iph->daddr; -+ if (ip_route_output_key(&rt, &fl) != 0) -+ return NULL; -+ -+ odst = skb->dst; -+ if (ip_route_input(skb, iph->saddr, iph->daddr, -+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) { -+ dst_release(&rt->u.dst); -+ return NULL; -+ } -+ dst_release(&rt->u.dst); -+ rt = (struct rtable *)skb->dst; -+ skb->dst = odst; -+ -+ fl.nl_u.ip4_u.daddr = iph->saddr; -+ fl.nl_u.ip4_u.saddr = iph->daddr; -+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); -+ } -+ -+ if (rt->u.dst.error) { -+ dst_release(&rt->u.dst); -+ return NULL; -+ } -+ -+ fl.proto = IPPROTO_TCP; -+ fl.fl_ip_sport = tcph->dest; -+ fl.fl_ip_dport = tcph->source; -+ -+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0); -+ -+ return rt; -+} -+ -+static void send_reset(struct sk_buff *oldskb, int hook) -+{ -+ struct sk_buff *nskb; -+ struct iphdr *iph = ip_hdr(oldskb); -+ struct tcphdr _otcph, *oth, *tcph; -+ __be16 tmp_port; -+ __be32 tmp_addr; -+ int needs_ack; -+ unsigned int addr_type; -+ -+ /* IP header checks: fragment. */ -+ if (iph->frag_off & htons(IP_OFFSET)) -+ return; -+ -+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), -+ sizeof(_otcph), &_otcph); -+ if (oth == NULL) -+ return; -+ -+ /* No RST for RST. */ -+ if (oth->rst) -+ return; -+ -+ /* Check checksum */ -+ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) -+ return; -+ -+ /* We need a linear, writeable skb. We also need to expand -+ headroom in case hh_len of incoming interface < hh_len of -+ outgoing interface */ -+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), -+ GFP_ATOMIC); -+ if (!nskb) -+ return; -+ -+ /* This packet will not be the same as the other: clear nf fields */ -+ nf_reset(nskb); -+ nskb->nfmark = 0; -+ skb_init_secmark(nskb); -+ -+ skb_shinfo(nskb)->gso_size = 0; -+ skb_shinfo(nskb)->gso_segs = 0; -+ skb_shinfo(nskb)->gso_type = 0; -+ -+ tcph = tcp_hdr(nskb); -+ -+ /* Swap source and dest */ -+ tmp_addr = ip_hdr(nskb)->saddr; -+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr; -+ ip_hdr(nskb)->daddr = tmp_addr; -+ tmp_port = tcph->source; -+ tcph->source = tcph->dest; -+ tcph->dest = tmp_port; -+ -+ /* Truncate to length (no data) */ -+ tcph->doff = sizeof(struct tcphdr)/4; -+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); -+ ip_hdr(nskb)->tot_len = htons(nskb->len); -+ -+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) { -+ /* DELUDE essential part */ -+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + -+ oldskb->len - ip_hdrlen(oldskb) - -+ (oth->doff << 2)); -+ tcph->seq = htonl(secure_tcp_sequence_number( -+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr, -+ tcph->source, tcph->dest)); -+ tcph->ack = 1; -+ } else { -+ if(!tcph->ack) { -+ needs_ack = 1; -+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin -+ + oldskb->len - ip_hdrlen(oldskb) -+ - (oth->doff<<2)); -+ tcph->seq = 0; -+ } else { -+ needs_ack = 0; -+ tcph->seq = oth->ack_seq; -+ tcph->ack_seq = 0; -+ } -+ -+ /* Reset flags */ -+ ((u_int8_t *)tcph)[13] = 0; -+ tcph->rst = 1; -+ tcph->ack = needs_ack; -+ } -+ -+ -+ tcph->window = 0; -+ tcph->urg_ptr = 0; -+ -+ /* Adjust TCP checksum */ -+ tcph->check = 0; -+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), -+ ip_hdr(nskb)->saddr, -+ ip_hdr(nskb)->daddr, -+ csum_partial((char *)tcph, -+ sizeof(struct tcphdr), 0)); -+ -+ /* Set DF, id = 0 */ -+ ip_hdr(nskb)->frag_off = htons(IP_DF); -+ ip_hdr(nskb)->id = 0; -+ -+ addr_type = RTN_UNSPEC; -+ if (hook != NF_IP_FORWARD -+#ifdef CONFIG_BRIDGE_NETFILTER -+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED) -+#endif -+ ) -+ addr_type = RTN_LOCAL; -+ -+ if (ip_route_me_harder(&nskb, addr_type)) -+ goto free_nskb; -+ -+ nskb->ip_summed = CHECKSUM_NONE; -+ -+ /* Adjust IP TTL */ -+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); -+ -+ /* Adjust IP checksum */ -+ ip_hdr(nskb)->check = 0; -+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb), -+ ip_hdr(nskb)->ihl); -+ -+ /* "Never happens" */ -+ if (nskb->len > dst_mtu(nskb->dst)) -+ goto free_nskb; -+ -+ nf_ct_attach(nskb, oldskb); -+ -+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev, -+ dst_output); -+ return; -+ -+ free_nskb: -+ kfree_skb(nskb); -+} -+ -+static unsigned int xt_delude_target(struct sk_buff **pskb, -+ const struct net_device *in, const struct net_device *out, -+ unsigned int hooknum, const struct xt_target *target, const void *targinfo -+#ifdef HAVE_TARGUSERINFO -+ , -+ void *userinfo -+#endif -+ ) -+{ -+ /* WARNING: This code causes reentry within iptables. -+ This means that the iptables jump stack is now crap. We -+ must return an absolute verdict. --RR */ -+ send_reset(*pskb, hooknum); -+ return NF_DROP; -+} -+ -+static int xt_delude_check(const char *tablename, const void *e_void, -+ const struct xt_target *target, void *targinfo, -+#ifdef HAVE_TARGINFOSIZE -+ unsigned int targinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) { -+ printk(KERN_WARNING PFX "DELUDE may not be used in chains " -+ "other than INPUT and FORWARD\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+static struct xt_target xt_delude_info = { -+ .name = "DELUDE", -+ .target = xt_delude_target, -+ .checkentry = xt_delude_check, -+ .table = "filter", -+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | -+ (1 << NF_IP_LOCAL_OUT), -+ .proto = IPPROTO_TCP, -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_delude_init(void) -+{ -+ return xt_register_target(&xt_delude_info); -+} -+ -+static void __exit xt_delude_exit(void) -+{ -+ xt_unregister_target(&xt_delude_info); -+} -+ -+module_init(xt_delude_init); -+module_exit(xt_delude_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter DELUDE target"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_DELUDE"); -diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/netfilter/xt_portscan.c ---- linux-2.6.21.1.old/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/netfilter/xt_portscan.c 2007-05-26 20:40:11.004183528 +0200 -@@ -0,0 +1,272 @@ -+/* -+ portscan match for netfilter -+ -+ Written by Jan Engelhardt, 2006 - 2007 -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+enum { -+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, -+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK, -+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG, -+}; -+ -+/* Module parameters */ -+static unsigned int -+ connmark_mask = ~0, -+ packet_mask = ~0, -+ mark_seen = 0x9, -+ mark_synrcv = 0x1, -+ mark_closed = 0x2, -+ mark_synscan = 0x3, -+ mark_estab1 = 0x4, -+ mark_estab2 = 0x5, -+ mark_cnscan = 0x6, -+ mark_grscan = 0x7, -+ mark_valid = 0x8; -+ -+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR); -+module_param(packet_mask, uint, S_IRUGO | S_IWUSR); -+module_param(mark_seen, uint, S_IRUGO | S_IWUSR); -+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR); -+module_param(mark_closed, uint, S_IRUGO | S_IWUSR); -+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR); -+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR); -+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_valid, uint, S_IRUGO | S_IWUSR); -+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark"); -+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark"); -+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state"); -+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state"); -+MODULE_PARM_DESC(mark_closed, "connmark value for closed state"); -+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state"); -+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state"); -+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state"); -+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state"); -+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state"); -+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state"); -+ -+/* TCP flag functions */ -+static inline int tflg_ack4(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK; -+} -+ -+static inline int tflg_ack6(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK; -+} -+ -+static inline int tflg_fin(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN; -+} -+ -+static inline int tflg_rst(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST; -+} -+ -+static inline int tflg_rstack(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == -+ (TCP_FLAG_ACK | TCP_FLAG_RST); -+} -+ -+static inline int tflg_syn(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN; -+} -+ -+static inline int tflg_synack(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == -+ (TCP_FLAG_SYN | TCP_FLAG_ACK); -+} -+ -+/* portscan functions */ -+static inline int xt_portscan_stealth(const struct tcphdr *th) -+{ -+ /* -+ * "Connection refused" replies to our own probes must not be matched. -+ */ -+ if(tflg_rstack(th)) -+ return 0; -+ -+ if(tflg_rst(th) && printk_ratelimit()) { -+ printk(KERN_WARNING PFX "Warning: Pure RST received\n"); -+ return 0; -+ } -+ -+ /* -+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start -+ * packets that are not associated with any connection -- this will -+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag -+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.). -+ */ -+ return !tflg_syn(th); -+} -+ -+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate, -+ int loopback, const struct tcphdr *tcph, int payload_len) -+{ -+ if(mark == mark_estab2) { -+ /* -+ * -m connmark --mark $ESTAB2 -+ */ -+ if(tflg_ack4(tcph) && payload_len == 0) -+ return mark; /* keep mark */ -+ else if(tflg_rst(tcph) || tflg_fin(tcph)) -+ return mark_grscan; -+ else -+ return mark_valid; -+ } else if(mark == mark_estab1) { -+ /* -+ * -m connmark --mark $ESTAB1 -+ */ -+ if(tflg_rst(tcph) || tflg_fin(tcph)) -+ return mark_cnscan; -+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0) -+ return mark_estab2; -+ else -+ return mark_valid; -+ } else if(mark == mark_synrcv) { -+ /* -+ * -m connmark --mark $SYN -+ */ -+ if(loopback && tflg_synack(tcph)) -+ return mark; /* keep mark */ -+ else if(loopback && tflg_rstack(tcph)) -+ return mark_closed; -+ else if(tflg_ack6(tcph)) -+ return mark_estab1; -+ else -+ return mark_synscan; -+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) { -+ /* -+ * -p tcp --syn --ctstate NEW -+ */ -+ return mark_synrcv; -+ } -+ return mark; -+} -+ -+static int xt_portscan_match(const struct sk_buff *skb, -+ const struct net_device *in, const struct net_device *out, -+ const struct xt_match *match, const void *matchinfo, int offset, -+ unsigned int protoff, int *hotdrop) -+{ -+ const struct xt_portscan_info *info = matchinfo; -+ enum ip_conntrack_info ctstate; -+ struct nf_conn *ctdata; -+ const struct tcphdr *tcph; -+ struct tcphdr tcph_buf; -+ -+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); -+ if(tcph == NULL) -+ return 0; -+ -+ /* Check for invalid packets: -m conntrack --ctstate INVALID */ -+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { -+ if(info->match_stealth) -+ return xt_portscan_stealth(tcph); -+ /* -+ * If @ctdata is NULL, we cannot match the other scan -+ * types, return. -+ */ -+ return 0; -+ } -+ -+ /* -+ * If -m portscan was previously applied to this packet, the rules we -+ * simulate must not be run through again. And for speedup, do not call -+ * it either when the connection is already VALID. -+ */ -+ if((ctdata->mark & connmark_mask) == mark_valid || -+ (skb->nfmark & packet_mask) != mark_seen) -+ { -+ unsigned int n; -+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate, -+ in == &loopback_dev, tcph, -+ skb->len - protoff - 4 * tcph->doff); -+ -+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; -+ ((struct sk_buff *)skb)->nfmark = -+ (skb->nfmark & ~packet_mask) | mark_seen; -+ } -+ -+ return (info->match_syn && ctdata->mark == mark_synscan) || -+ (info->match_cn && ctdata->mark == mark_cnscan) || -+ (info->match_gr && ctdata->mark == mark_grscan); -+} -+ -+static int xt_portscan_checkentry(const char *tablename, const void *entry, -+ const struct xt_match *match, void *matchinfo, -+#ifdef HAVE_MATCHINFOSIZE -+ unsigned int matchinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ const struct xt_portscan_info *info = matchinfo; -+#ifdef HAVE_MATCHINFOSIZE -+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) { -+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n", -+ matchinfosize, -+ XT_ALIGN(sizeof(struct xt_portscan_info))); -+ return 0; -+ } -+#endif -+ if((info->match_stealth & ~1) || (info->match_syn & ~1) || -+ (info->match_cn & ~1) || (info->match_gr & ~1)) { -+ printk(KERN_WARNING PFX "Invalid flags\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+static struct xt_match xt_portscan = { -+ .name = "portscan", -+ .match = xt_portscan_match, -+ .checkentry = xt_portscan_checkentry, -+ .matchsize = sizeof(struct xt_portscan_info), -+ .proto = IPPROTO_TCP, -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_portscan_init(void) -+{ -+ return xt_register_match(&xt_portscan); -+} -+ -+static void __exit xt_portscan_exit(void) -+{ -+ xt_unregister_match(&xt_portscan); -+ return; -+} -+ -+module_init(xt_portscan_init); -+module_exit(xt_portscan_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter portscan match module"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_portscan"); -diff -urN linux-2.6.22-rc3.old/drivers/char/random.c linux-2.6.22-rc3.dev/drivers/char/random.c ---- linux-2.6.22-rc3.old/drivers/char/random.c 2007-05-26 03:55:14.000000000 +0100 -+++ linux-2.6.22-rc3.dev/drivers/char/random.c 2007-05-29 11:21:53.000000000 +0100 -@@ -1557,6 +1557,8 @@ - return seq; - } - -+EXPORT_SYMBOL(secure_tcp_sequence_number); -+ - /* Generate secure starting point for ephemeral IPV4 transport port search */ - u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) - { diff --git a/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables_0.8.patch b/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables_0.8.patch new file mode 100644 index 0000000000..e2a288d921 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables_0.8.patch @@ -0,0 +1,866 @@ +Index: linux-2.6.22.18/include/linux/netfilter/oot_conntrack.h +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/include/linux/netfilter/oot_conntrack.h +@@ -0,0 +1,5 @@ ++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) ++# include ++#else /* linux-2.6.20+ */ ++# include ++#endif +Index: linux-2.6.22.18/include/linux/netfilter/oot_trans.h +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/include/linux/netfilter/oot_trans.h +@@ -0,0 +1,14 @@ ++/* Out of tree workarounds */ ++#include ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) ++# define HAVE_MATCHINFOSIZE 1 ++# define HAVE_TARGUSERINFO 1 ++# define HAVE_TARGINFOSIZE 1 ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) ++# define nfmark mark ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) ++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ ++ tcp_v4_check((tcph_sz), (s), (d), (csp)) ++#endif +Index: linux-2.6.22.18/include/linux/netfilter/xt_CHAOS.h +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/include/linux/netfilter/xt_CHAOS.h +@@ -0,0 +1,14 @@ ++#ifndef _LINUX_NETFILTER_XT_CHAOS_H ++#define _LINUX_NETFILTER_XT_CHAOS_H 1 ++ ++enum xt_chaos_target_variant { ++ XTCHAOS_NORMAL, ++ XTCHAOS_TARPIT, ++ XTCHAOS_DELUDE, ++}; ++ ++struct xt_chaos_target_info { ++ uint8_t variant; ++}; ++ ++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */ +Index: linux-2.6.22.18/include/linux/netfilter/xt_portscan.h +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/include/linux/netfilter/xt_portscan.h +@@ -0,0 +1,8 @@ ++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H ++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1 ++ ++struct xt_portscan_match_info { ++ uint8_t match_stealth, match_syn, match_cn, match_gr; ++}; ++ ++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */ +Index: linux-2.6.22.18/net/netfilter/find_match.c +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/find_match.c +@@ -0,0 +1,39 @@ ++/* ++ xt_request_find_match ++ by Jan Engelhardt , 2006 - 2007 ++ ++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c: ++ Copyright (C) 2006-2006 Harald Welte ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++*/ ++#include ++#include ++#include ++#include ++ ++/* ++ * Yeah this code is sub-optimal, but the function is missing in ++ * mainline so far. -jengelh ++ */ ++static struct xt_match *xt_request_find_match_lo(int af, const char *name, ++ u8 revision) ++{ ++ static const char *const xt_prefix[] = { ++ [AF_INET] = "ip", ++ [AF_INET6] = "ip6", ++ [NF_ARP] = "arp", ++ }; ++ struct xt_match *match; ++ ++ match = try_then_request_module(xt_find_match(af, name, revision), ++ "%st_%s", xt_prefix[af], name); ++ if (IS_ERR(match) || match == NULL) ++ return NULL; ++ ++ return match; ++} ++ ++/* In case it goes into mainline, let this out-of-tree package compile */ ++#define xt_request_find_match xt_request_find_match_lo +Index: linux-2.6.22.18/net/netfilter/Kconfig +=================================================================== +--- linux-2.6.22.18.orig/net/netfilter/Kconfig ++++ linux-2.6.22.18/net/netfilter/Kconfig +@@ -255,6 +255,14 @@ config NETFILTER_XTABLES + + # alphabetically ordered list of targets + ++config NETFILTER_XT_TARGET_CHAOS ++ tristate '"CHAOS" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `CHAOS' target. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_TARGET_CLASSIFY + tristate '"CLASSIFY" target support' + depends on NETFILTER_XTABLES +@@ -282,6 +290,14 @@ config NETFILTER_XT_TARGET_CONNMARK + . The module will be called + ipt_CONNMARK.ko. If unsure, say `N'. + ++config NETFILTER_XT_TARGET_DELUDE ++ tristate '"DELUDE" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `DELUDE' target. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_TARGET_DSCP + tristate '"DSCP" target support' + depends on NETFILTER_XTABLES +@@ -526,6 +542,14 @@ config NETFILTER_XT_MATCH_POLICY + + To compile it as a module, choose M here. If unsure, say N. + ++config NETFILTER_XT_MATCH_PORTSCAN ++ tristate '"portscan" match support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a 'portscan' match support. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_MATCH_MULTIPORT + tristate "Multiple port match support" + depends on NETFILTER_XTABLES +Index: linux-2.6.22.18/net/netfilter/Makefile +=================================================================== +--- linux-2.6.22.18.orig/net/netfilter/Makefile ++++ linux-2.6.22.18/net/netfilter/Makefile +@@ -47,6 +47,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK + obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o + obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o + obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o + + # matches + obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o +@@ -74,3 +76,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) + obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o + obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o + obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o ++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o +Index: linux-2.6.22.18/net/netfilter/xt_CHAOS.c +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/xt_CHAOS.c +@@ -0,0 +1,200 @@ ++/* ++ * CHAOS target for netfilter ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#if defined(_LOCAL) ++# include "xt_CHAOS.h" ++# include "find_match.c" ++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \ ++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE) ++# include ++# include "find_match.c" ++#else ++# include "xt_CHAOS.h" ++# include "find_match.c" ++#endif ++#define PFX KBUILD_MODNAME ": " ++ ++/* Module parameters */ ++static unsigned int reject_percentage = ~0U * .01; ++static unsigned int delude_percentage = ~0U * .0101; ++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR); ++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR); ++ ++/* References to other matches/targets */ ++static struct xt_match *xm_tcp; ++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; ++ ++static int have_delude, have_tarpit; ++ ++/* Static data for other matches/targets */ ++static const struct ipt_reject_info reject_params = { ++ .with = ICMP_HOST_UNREACH, ++}; ++ ++static const struct xt_tcp tcp_params = { ++ .spts = {0, ~0}, ++ .dpts = {0, ~0}, ++}; ++ ++/* CHAOS functions */ ++static void xt_chaos_total(const struct xt_chaos_target_info *info, ++ struct sk_buff **pskb, const struct net_device *in, ++ const struct net_device *out, unsigned int hooknum) ++{ ++ const struct iphdr *iph = ip_hdr(*pskb); ++ const int protoff = 4 * iph->ihl; ++ const int offset = ntohs(iph->frag_off) & IP_OFFSET; ++ const struct xt_target *destiny; ++ int hotdrop = 0, ret; ++ ++ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params, ++ offset, protoff, &hotdrop); ++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage) ++ return; ++ ++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; ++ destiny->target(pskb, in, out, hooknum, destiny, NULL); ++ return; ++} ++ ++static unsigned int chaos_tg(struct sk_buff **pskb, ++ const struct net_device *in, const struct net_device *out, ++ unsigned int hooknum, const struct xt_target *target, const void *targinfo) ++{ ++ /* ++ * Equivalent to: ++ * -A chaos -m statistic --mode random --probability \ ++ * $reject_percentage -j REJECT --reject-with host-unreach; ++ * -A chaos -p tcp -m statistic --mode random --probability \ ++ * $delude_percentage -j DELUDE; ++ * -A chaos -j DROP; ++ */ ++ const struct xt_chaos_target_info *info = targinfo; ++ const struct iphdr *iph = ip_hdr(*pskb); ++ ++ if ((unsigned int)net_random() <= reject_percentage) ++ return xt_reject->target(pskb, in, out, hooknum, target, ++ &reject_params); ++ ++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ ++ if (iph->protocol == IPPROTO_TCP && ++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) ++ xt_chaos_total(info, pskb, in, out, hooknum); ++ ++ return NF_DROP; ++} ++ ++static int chaos_tg_check(const char *tablename, const void *entry, ++ const struct xt_target *target, void *targinfo, unsigned int hook_mask) ++{ ++ const struct xt_chaos_target_info *info = targinfo; ++ ++ if (info->variant == XTCHAOS_DELUDE && !have_delude) { ++ printk(KERN_WARNING PFX "Error: Cannot use --delude when " ++ "DELUDE module not available\n"); ++ return false; ++ } ++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) { ++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " ++ "TARPIT module not available\n"); ++ return false; ++ } ++ ++ return true; ++} ++ ++static struct xt_target chaos_tg_reg = { ++ .name = "CHAOS", ++ .family = AF_INET, ++ .table = "filter", ++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | ++ (1 << NF_IP_LOCAL_OUT), ++ .checkentry = chaos_tg_check, ++ .target = chaos_tg, ++ .targetsize = sizeof(struct xt_chaos_target_info), ++ .me = THIS_MODULE, ++}; ++ ++static int __init chaos_tg_init(void) ++{ ++ int ret = -EINVAL; ++ ++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); ++ if (xm_tcp == NULL) { ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"tcp\" match\n"); ++ return -EINVAL; ++ } ++ ++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); ++ if (xt_reject == NULL) { ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"REJECT\" target\n"); ++ goto out2; ++ } ++ ++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); ++ have_tarpit = xt_tarpit != NULL; ++ if (!have_tarpit) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"TARPIT\" target\n"); ++ ++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); ++ have_delude = xt_delude != NULL; ++ if (!have_delude) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"DELUDE\" target\n"); ++ ++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) { ++ printk(KERN_WARNING PFX "xt_register_target returned " ++ "error %d\n", ret); ++ goto out3; ++ } ++ ++ return 0; ++ ++ out3: ++ if (have_delude) ++ module_put(xt_delude->me); ++ if (have_tarpit) ++ module_put(xt_tarpit->me); ++ module_put(xt_reject->me); ++ out2: ++ module_put(xm_tcp->me); ++ return ret; ++} ++ ++static void __exit chaos_tg_exit(void) ++{ ++ xt_unregister_target(&chaos_tg_reg); ++ module_put(xm_tcp->me); ++ module_put(xt_reject->me); ++ if (have_delude) ++ module_put(xt_delude->me); ++ if (have_tarpit) ++ module_put(xt_tarpit->me); ++ return; ++} ++ ++module_init(chaos_tg_init); ++module_exit(chaos_tg_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"CHAOS\" target"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_CHAOS"); +Index: linux-2.6.22.18/net/netfilter/xt_DELUDE.c +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/xt_DELUDE.c +@@ -0,0 +1,197 @@ ++/* ++ * DELUDE target ++ * Copyright © CC Computer Consultants GmbH, 2007 ++ * Contact: Jan Engelhardt ++ * ++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: ++ * (C) 1999-2001 Paul `Rusty' Russell ++ * (C) 2002-2004 Netfilter Core Team ++ * ++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#ifdef CONFIG_BRIDGE_NETFILTER ++# include ++#endif ++#include ++#define PFX KBUILD_MODNAME ": " ++ ++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook) ++{ ++ struct tcphdr _otcph, *oth, *tcph; ++ unsigned int addr_type; ++ struct sk_buff *nskb; ++ u_int16_t tmp_port; ++ u_int32_t tmp_addr; ++ struct iphdr *niph; ++ bool needs_ack; ++ ++ /* IP header checks: fragment. */ ++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) ++ return; ++ ++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), ++ sizeof(_otcph), &_otcph); ++ if (oth == NULL) ++ return; ++ ++ /* No RST for RST. */ ++ if (oth->rst) ++ return; ++ ++ /* Check checksum */ ++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) ++ return; ++ ++ /* We need a linear, writeable skb. We also need to expand ++ headroom in case hh_len of incoming interface < hh_len of ++ outgoing interface */ ++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), ++ GFP_ATOMIC); ++ if (!nskb) ++ return; ++ ++ /* This packet will not be the same as the other: clear nf fields */ ++ nf_reset(nskb); ++ nskb->mark = 0; ++ skb_init_secmark(nskb); ++ ++ skb_shinfo(nskb)->gso_size = 0; ++ skb_shinfo(nskb)->gso_segs = 0; ++ skb_shinfo(nskb)->gso_type = 0; ++ ++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb)); ++ ++ /* Swap source and dest */ ++ niph = ip_hdr(nskb); ++ tmp_addr = niph->saddr; ++ niph->saddr = niph->daddr; ++ niph->daddr = tmp_addr; ++ tmp_port = tcph->source; ++ tcph->source = tcph->dest; ++ tcph->dest = tmp_port; ++ ++ /* Truncate to length (no data) */ ++ tcph->doff = sizeof(struct tcphdr) / 4; ++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); ++ niph->tot_len = htons(nskb->len); ++ ++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) { ++ /* DELUDE essential part */ ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + ++ oldskb->len - ip_hdrlen(oldskb) - ++ (oth->doff << 2)); ++ tcph->seq = false; ++ tcph->ack = true; ++ } else { ++ if (!tcph->ack) { ++ needs_ack = true; ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + ++ oth->fin + oldskb->len - ++ ip_hdrlen(oldskb) - (oth->doff<<2)); ++ tcph->seq = false; ++ } else { ++ needs_ack = false; ++ tcph->seq = oth->ack_seq; ++ tcph->ack_seq = false; ++ } ++ ++ /* Reset flags */ ++ ((u_int8_t *)tcph)[13] = 0; ++ tcph->rst = true; ++ tcph->ack = needs_ack; ++ } ++ ++ tcph->window = 0; ++ tcph->urg_ptr = 0; ++ ++ /* Adjust TCP checksum */ ++ tcph->check = 0; ++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr, ++ niph->daddr, csum_partial((char *)tcph, ++ sizeof(struct tcphdr), 0)); ++ ++ /* Set DF, id = 0 */ ++ niph->frag_off = htons(IP_DF); ++ niph->id = 0; ++ ++ addr_type = RTN_UNSPEC; ++#ifdef CONFIG_BRIDGE_NETFILTER ++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL && ++ nskb->nf_bridge->mask & BRNF_BRIDGED)) ++#else ++ if (hook != NF_IP_FORWARD) ++#endif ++ addr_type = RTN_LOCAL; ++ ++ if (ip_route_me_harder(&nskb, addr_type)) ++ goto free_nskb; ++ ++ nskb->ip_summed = CHECKSUM_NONE; ++ ++ /* Adjust IP TTL */ ++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); ++ ++ /* Adjust IP checksum */ ++ niph->check = 0; ++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl); ++ ++ /* "Never happens" */ ++ if (nskb->len > dst_mtu(nskb->dst)) ++ goto free_nskb; ++ ++ nf_ct_attach(nskb, oldskb); ++ ++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev, ++ dst_output); ++ return; ++ ++ free_nskb: ++ kfree_skb(nskb); ++} ++ ++static unsigned int delude_tg(struct sk_buff **pskb, ++ const struct net_device *in, const struct net_device *out, ++ unsigned int hooknum, const struct xt_target *target, const void *targinfo) ++{ ++ /* WARNING: This code causes reentry within iptables. ++ This means that the iptables jump stack is now crap. We ++ must return an absolute verdict. --RR */ ++ delude_send_reset(*pskb, hooknum); ++ return NF_DROP; ++} ++ ++static struct xt_target delude_tg_reg = { ++ .name = "DELUDE", ++ .family = AF_INET, ++ .table = "filter", ++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD), ++ .target = delude_tg, ++ .proto = IPPROTO_TCP, ++ .me = THIS_MODULE, ++}; ++ ++static int __init delude_tg_init(void) ++{ ++ return xt_register_target(&delude_tg_reg); ++} ++ ++static void __exit delude_tg_exit(void) ++{ ++ xt_unregister_target(&delude_tg_reg); ++} ++ ++module_init(delude_tg_init); ++module_exit(delude_tg_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"DELUDE\" target"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_DELUDE"); +Index: linux-2.6.22.18/net/netfilter/xt_portscan.c +=================================================================== +--- /dev/null ++++ linux-2.6.22.18/net/netfilter/xt_portscan.c +@@ -0,0 +1,269 @@ ++/* ++ * portscan match for netfilter ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#if defined(_LOCAL) ++# include "xt_portscan.h" ++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \ ++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE) ++# include ++#else ++# include "xt_portscan.h" ++#endif ++#define PFX KBUILD_MODNAME ": " ++ ++enum { ++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, ++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK, ++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG, ++}; ++ ++/* Module parameters */ ++static unsigned int ++ connmark_mask = ~0, ++ packet_mask = ~0, ++ mark_seen = 0x9, ++ mark_synrcv = 0x1, ++ mark_closed = 0x2, ++ mark_synscan = 0x3, ++ mark_estab1 = 0x4, ++ mark_estab2 = 0x5, ++ mark_cnscan = 0x6, ++ mark_grscan = 0x7, ++ mark_valid = 0x8; ++ ++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR); ++module_param(packet_mask, uint, S_IRUGO | S_IWUSR); ++module_param(mark_seen, uint, S_IRUGO | S_IWUSR); ++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR); ++module_param(mark_closed, uint, S_IRUGO | S_IWUSR); ++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR); ++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR); ++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_valid, uint, S_IRUGO | S_IWUSR); ++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark"); ++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark"); ++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state"); ++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state"); ++MODULE_PARM_DESC(mark_closed, "connmark value for closed state"); ++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state"); ++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state"); ++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state"); ++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state"); ++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state"); ++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state"); ++ ++/* TCP flag functions */ ++static inline bool tflg_ack4(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK; ++} ++ ++static inline bool tflg_ack6(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK; ++} ++ ++static inline bool tflg_fin(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN; ++} ++ ++static inline bool tflg_rst(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST; ++} ++ ++static inline bool tflg_rstack(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == ++ (TCP_FLAG_ACK | TCP_FLAG_RST); ++} ++ ++static inline bool tflg_syn(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN; ++} ++ ++static inline bool tflg_synack(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == ++ (TCP_FLAG_SYN | TCP_FLAG_ACK); ++} ++ ++/* portscan functions */ ++static inline bool portscan_mt_stealth(const struct tcphdr *th) ++{ ++ /* ++ * "Connection refused" replies to our own probes must not be matched. ++ */ ++ if (tflg_rstack(th)) ++ return false; ++ ++ if (tflg_rst(th) && printk_ratelimit()) { ++ printk(KERN_WARNING PFX "Warning: Pure RST received\n"); ++ return false; ++ } ++ ++ /* ++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start ++ * packets that are not associated with any connection -- this will ++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag ++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.). ++ */ ++ return !tflg_syn(th); ++} ++ ++static inline unsigned int portscan_mt_full(int mark, ++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph, ++ unsigned int payload_len) ++{ ++ if (mark == mark_estab2) { ++ /* ++ * -m connmark --mark $ESTAB2 ++ */ ++ if (tflg_ack4(tcph) && payload_len == 0) ++ return mark; /* keep mark */ ++ else if (tflg_rst(tcph) || tflg_fin(tcph)) ++ return mark_grscan; ++ else ++ return mark_valid; ++ } else if (mark == mark_estab1) { ++ /* ++ * -m connmark --mark $ESTAB1 ++ */ ++ if (tflg_rst(tcph) || tflg_fin(tcph)) ++ return mark_cnscan; ++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0) ++ return mark_estab2; ++ else ++ return mark_valid; ++ } else if (mark == mark_synrcv) { ++ /* ++ * -m connmark --mark $SYN ++ */ ++ if (loopback && tflg_synack(tcph)) ++ return mark; /* keep mark */ ++ else if (loopback && tflg_rstack(tcph)) ++ return mark_closed; ++ else if (tflg_ack6(tcph)) ++ return mark_estab1; ++ else ++ return mark_synscan; ++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) { ++ /* ++ * -p tcp --syn --ctstate NEW ++ */ ++ return mark_synrcv; ++ } ++ return mark; ++} ++ ++static int portscan_mt(const struct sk_buff *skb, ++ const struct net_device *in, const struct net_device *out, ++ const struct xt_match *match, const void *matchinfo, int offset, ++ unsigned int protoff, int *hotdrop) ++{ ++ const struct xt_portscan_match_info *info = matchinfo; ++ enum ip_conntrack_info ctstate; ++ const struct tcphdr *tcph; ++ struct nf_conn *ctdata; ++ struct tcphdr tcph_buf; ++ ++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); ++ if (tcph == NULL) ++ return false; ++ ++ /* Check for invalid packets: -m conntrack --ctstate INVALID */ ++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { ++ if (info->match_stealth) ++ return portscan_mt_stealth(tcph); ++ /* ++ * If @ctdata is NULL, we cannot match the other scan ++ * types, return. ++ */ ++ return false; ++ } ++ ++ /* ++ * If -m portscan was previously applied to this packet, the rules we ++ * simulate must not be run through again. And for speedup, do not call ++ * it either when the connection is already VALID. ++ */ ++ if ((ctdata->mark & connmark_mask) == mark_valid || ++ (skb->mark & packet_mask) != mark_seen) { ++ unsigned int n; ++ ++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate, ++ in == &loopback_dev, tcph, ++ skb->len - protoff - 4 * tcph->doff); ++ ++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; ++ ((struct sk_buff *)skb)->mark = ++ (skb->mark & ~packet_mask) ^ mark_seen; ++ } ++ ++ return (info->match_syn && ctdata->mark == mark_synscan) || ++ (info->match_cn && ctdata->mark == mark_cnscan) || ++ (info->match_gr && ctdata->mark == mark_grscan); ++} ++ ++static int portscan_mt_check(const char *tablename, const void *entry, ++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask) ++{ ++ const struct xt_portscan_match_info *info = matchinfo; ++ ++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) || ++ (info->match_cn & ~1) || (info->match_gr & ~1)) { ++ printk(KERN_WARNING PFX "Invalid flags\n"); ++ return false; ++ } ++ return true; ++} ++ ++static struct xt_match portscan_mt_reg __read_mostly = { ++ .name = "portscan", ++ .family = AF_INET, ++ .match = portscan_mt, ++ .checkentry = portscan_mt_check, ++ .matchsize = sizeof(struct xt_portscan_match_info), ++ .proto = IPPROTO_TCP, ++ .me = THIS_MODULE, ++}; ++ ++static int __init portscan_mt_init(void) ++{ ++ return xt_register_match(&portscan_mt_reg); ++} ++ ++static void __exit portscan_mt_exit(void) ++{ ++ xt_unregister_match(&portscan_mt_reg); ++ return; ++} ++ ++module_init(portscan_mt_init); ++module_exit(portscan_mt_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"portscan\" match"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_portscan"); +Index: linux-2.6.22.18/drivers/char/random.c +=================================================================== +--- linux-2.6.22.18.orig/drivers/char/random.c ++++ linux-2.6.22.18/drivers/char/random.c +@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32 + return seq; + } + ++EXPORT_SYMBOL(secure_tcp_sequence_number); ++ + /* Generate secure starting point for ephemeral IPV4 transport port search */ + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) + { diff --git a/target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch b/target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch index 52c89d80f2..2e5b9e813a 100644 --- a/target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch +++ b/target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch @@ -1,7 +1,7 @@ -Index: linux-2.6.22.4/net/netfilter/Kconfig +Index: linux-2.6.22.18/net/netfilter/Kconfig =================================================================== ---- linux-2.6.22.4.orig/net/netfilter/Kconfig -+++ linux-2.6.22.4/net/netfilter/Kconfig +--- linux-2.6.22.18.orig/net/netfilter/Kconfig ++++ linux-2.6.22.18/net/netfilter/Kconfig @@ -379,6 +379,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK To compile it as a module, choose M here. If unsure, say N. @@ -26,22 +26,22 @@ Index: linux-2.6.22.4/net/netfilter/Kconfig config NETFILTER_XT_TARGET_TCPMSS tristate '"TCPMSS" target support' depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) -Index: linux-2.6.22.4/net/netfilter/Makefile +Index: linux-2.6.22.18/net/netfilter/Makefile =================================================================== ---- linux-2.6.22.4.orig/net/netfilter/Makefile -+++ linux-2.6.22.4/net/netfilter/Makefile -@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE +--- linux-2.6.22.18.orig/net/netfilter/Makefile ++++ linux-2.6.22.18/net/netfilter/Makefile +@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o +obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o - -Index: linux-2.6.22.4/net/netfilter/xt_TARPIT.c + obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o +Index: linux-2.6.22.18/net/netfilter/xt_TARPIT.c =================================================================== --- /dev/null -+++ linux-2.6.22.4/net/netfilter/xt_TARPIT.c ++++ linux-2.6.22.18/net/netfilter/xt_TARPIT.c @@ -0,0 +1,280 @@ +/* + * Kernel module to capture and hold incoming TCP connections using @@ -284,7 +284,7 @@ Index: linux-2.6.22.4/net/netfilter/xt_TARPIT.c + return NF_DROP; +} + -+static bool xt_tarpit_check(const char *tablename, const void *entry, ++static int xt_tarpit_check(const char *tablename, const void *entry, + const struct xt_target *target, void *targinfo, + unsigned int hook_mask) +{ diff --git a/target/linux/generic-2.6/patches-2.6.23/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.23/101-netfilter_layer7_pktmatch.patch new file mode 100644 index 0000000000..2574543131 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.23/101-netfilter_layer7_pktmatch.patch @@ -0,0 +1,113 @@ +Index: linux-2.6.23.16/include/linux/netfilter/xt_layer7.h +=================================================================== +--- linux-2.6.23.16.orig/include/linux/netfilter/xt_layer7.h ++++ linux-2.6.23.16/include/linux/netfilter/xt_layer7.h +@@ -8,6 +8,7 @@ struct xt_layer7_info { + char protocol[MAX_PROTOCOL_LEN]; + char pattern[MAX_PATTERN_LEN]; + u_int8_t invert; ++ u_int8_t pkt; + }; + + #endif /* _XT_LAYER7_H */ +Index: linux-2.6.23.16/net/netfilter/xt_layer7.c +=================================================================== +--- linux-2.6.23.16.orig/net/netfilter/xt_layer7.c ++++ linux-2.6.23.16/net/netfilter/xt_layer7.c +@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con + } + + /* add the new app data to the conntrack. Return number of bytes added. */ +-static int add_data(struct nf_conn * master_conntrack, +- char * app_data, int appdatalen) ++static int add_datastr(char *target, int offset, char *app_data, int len) + { + int length = 0, i; +- int oldlength = master_conntrack->layer7.app_data_len; +- +- /* This is a fix for a race condition by Deti Fliegl. However, I'm not +- clear on whether the race condition exists or whether this really +- fixes it. I might just be being dense... Anyway, if it's not really +- a fix, all it does is waste a very small amount of time. */ +- if(!master_conntrack->layer7.app_data) return 0; ++ ++ if (!target) return 0; + + /* Strip nulls. Make everything lower case (our regex lib doesn't + do case insensitivity). Add it to the end of the current data. */ +- for(i = 0; i < maxdatalen-oldlength-1 && +- i < appdatalen; i++) { ++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) { + if(app_data[i] != '\0') { + /* the kernel version of tolower mungs 'upper ascii' */ +- master_conntrack->layer7.app_data[length+oldlength] = ++ target[length+offset] = + isascii(app_data[i])? + tolower(app_data[i]) : app_data[i]; + length++; + } + } ++ target[length+offset] = '\0'; ++ ++ return length; ++} + +- master_conntrack->layer7.app_data[length+oldlength] = '\0'; +- master_conntrack->layer7.app_data_len = length + oldlength; ++/* add the new app data to the conntrack. Return number of bytes added. */ ++static int add_data(struct nf_conn * master_conntrack, ++ char * app_data, int appdatalen) ++{ ++ int length; + ++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen); ++ master_conntrack->layer7.app_data_len += length; + return length; + } + +@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin, + const struct xt_layer7_info * info = matchinfo; + enum ip_conntrack_info master_ctinfo, ctinfo; + struct nf_conn *master_conntrack, *conntrack; +- unsigned char * app_data; ++ unsigned char *app_data, *tmp_data; + unsigned int pattern_result, appdatalen; + regexp * comppattern; + +@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin, + master_conntrack = master_ct(master_conntrack); + + /* if we've classified it or seen too many packets */ +- if(TOTAL_PACKETS > num_packets || +- master_conntrack->layer7.app_proto) { ++ if(!info->pkt && (TOTAL_PACKETS > num_packets || ++ master_conntrack->layer7.app_proto)) { + + pattern_result = match_no_append(conntrack, master_conntrack, + ctinfo, master_ctinfo, info); +@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin, + /* the return value gets checked later, when we're ready to use it */ + comppattern = compile_and_cache(info->pattern, info->protocol); + ++ if (info->pkt) { ++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC); ++ if(!tmp_data){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); ++ return info->invert; ++ } ++ ++ tmp_data[0] = '\0'; ++ add_datastr(tmp_data, 0, app_data, appdatalen); ++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0); ++ ++ kfree(tmp_data); ++ tmp_data = NULL; ++ spin_unlock_bh(&l7_lock); ++ ++ return (pattern_result ^ info->invert); ++ } ++ + /* On the first packet of a connection, allocate space for app data */ + if(TOTAL_PACKETS == 1 && !skb->cb[0] && + !master_conntrack->layer7.app_data){ diff --git a/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables.patch deleted file mode 100644 index cfc0092330..0000000000 --- a/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables.patch +++ /dev/null @@ -1,970 +0,0 @@ -Index: linux-2.6.23/include/linux/netfilter/oot_conntrack.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/include/linux/netfilter/oot_conntrack.h 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,5 @@ -+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) -+# include -+#else /* linux-2.6.20+ */ -+# include -+#endif -Index: linux-2.6.23/include/linux/netfilter/oot_trans.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/include/linux/netfilter/oot_trans.h 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,14 @@ -+/* Out of tree workarounds */ -+#include -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) -+# define HAVE_MATCHINFOSIZE 1 -+# define HAVE_TARGUSERINFO 1 -+# define HAVE_TARGINFOSIZE 1 -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) -+# define nfmark mark -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) -+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ -+ tcp_v4_check((tcph_sz), (s), (d), (csp)) -+#endif -Index: linux-2.6.23/include/linux/netfilter/xt_CHAOS.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/include/linux/netfilter/xt_CHAOS.h 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,14 @@ -+#ifndef _LINUX_XT_CHAOS_H -+#define _LINUX_XT_CHAOS_H 1 -+ -+enum xt_chaos_variant { -+ XTCHAOS_NORMAL, -+ XTCHAOS_TARPIT, -+ XTCHAOS_DELUDE, -+}; -+ -+struct xt_chaos_info { -+ enum xt_chaos_variant variant; -+}; -+ -+#endif /* _LINUX_XT_CHAOS_H */ -Index: linux-2.6.23/include/linux/netfilter/xt_portscan.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/include/linux/netfilter/xt_portscan.h 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,8 @@ -+#ifndef _LINUX_XT_PORTSCAN_H -+#define _LINUX_XT_PORTSCAN_H 1 -+ -+struct xt_portscan_info { -+ unsigned int match_stealth, match_syn, match_cn, match_gr; -+}; -+ -+#endif /* _LINUX_XT_PORTSCAN_H */ -Index: linux-2.6.23/net/netfilter/find_match.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/net/netfilter/find_match.c 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,39 @@ -+/* -+ xt_request_find_match -+ by Jan Engelhardt , 2006 - 2007 -+ -+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c: -+ Copyright (C) 2006-2006 Harald Welte -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+ -+/* -+ * Yeah this code is sub-optimal, but the function is missing in -+ * mainline so far. -jengelh -+ */ -+static struct xt_match *xt_request_find_match_lo(int af, const char *name, -+ u8 revision) -+{ -+ static const char *const xt_prefix[] = { -+ [AF_INET] = "ip", -+ [AF_INET6] = "ip6", -+ [NF_ARP] = "arp", -+ }; -+ struct xt_match *match; -+ -+ match = try_then_request_module(xt_find_match(af, name, revision), -+ "%st_%s", xt_prefix[af], name); -+ if(IS_ERR(match) || match == NULL) -+ return NULL; -+ -+ return match; -+} -+ -+/* In case it goes into mainline, let this out-of-tree package compile */ -+#define xt_request_find_match xt_request_find_match_lo -Index: linux-2.6.23/net/netfilter/Kconfig -=================================================================== ---- linux-2.6.23.orig/net/netfilter/Kconfig 2007-10-10 04:31:38.000000000 +0800 -+++ linux-2.6.23/net/netfilter/Kconfig 2007-10-10 13:53:04.000000000 +0800 -@@ -265,6 +265,14 @@ - - # alphabetically ordered list of targets - -+config NETFILTER_XT_TARGET_CHAOS -+ tristate '"CHAOS" target support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a `CHAOS' target. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_TARGET_CLASSIFY - tristate '"CLASSIFY" target support' - depends on NETFILTER_XTABLES -@@ -292,6 +300,14 @@ - . The module will be called - ipt_CONNMARK.ko. If unsure, say `N'. - -+config NETFILTER_XT_TARGET_DELUDE -+ tristate '"DELUDE" target support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a `DELUDE' target. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_TARGET_DSCP - tristate '"DSCP" target support' - depends on NETFILTER_XTABLES -@@ -556,6 +572,14 @@ - - To compile it as a module, choose M here. If unsure, say N. - -+config NETFILTER_XT_MATCH_PORTSCAN -+ tristate '"portscan" match support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a 'portscan' match support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_MATCH_MULTIPORT - tristate "Multiple port match support" - depends on NETFILTER_XTABLES -Index: linux-2.6.23/net/netfilter/Makefile -=================================================================== ---- linux-2.6.23.orig/net/netfilter/Makefile 2007-10-10 04:31:38.000000000 +0800 -+++ linux-2.6.23/net/netfilter/Makefile 2007-10-10 13:52:59.000000000 +0800 -@@ -38,8 +38,10 @@ - obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o - - # targets -+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o - obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o - obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o -+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o - obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o - obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o - obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o -@@ -66,6 +68,7 @@ - obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o - obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o - obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o -+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o - obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o - obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o - obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o -Index: linux-2.6.23/net/netfilter/xt_CHAOS.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/net/netfilter/xt_CHAOS.c 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,205 @@ -+/* -+ CHAOS target for netfilter -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "find_match.c" -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+/* Module parameters */ -+static unsigned int reject_percentage = ~0U * .01; -+static unsigned int delude_percentage = ~0U * .0101; -+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR); -+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR); -+ -+/* References to other matches/targets */ -+static struct xt_match *xm_tcp; -+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; -+ -+static int have_delude, have_tarpit; -+ -+/* Static data for other matches/targets */ -+static const struct ipt_reject_info reject_params = { -+ .with = ICMP_HOST_UNREACH, -+}; -+ -+static const struct xt_tcp tcp_params = { -+ .spts = {0, ~0}, -+ .dpts = {0, ~0}, -+}; -+ -+/* CHAOS functions */ -+static void xt_chaos_total(const struct xt_chaos_info *info, -+ struct sk_buff **pskb, const struct net_device *in, -+ const struct net_device *out, unsigned int hooknum) -+{ -+ const int protoff = ip_hdrlen(*pskb); -+ const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET; -+ const struct xt_target *destiny; -+ bool hotdrop = false; -+ int ret; -+ -+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params, -+ offset, protoff, &hotdrop); -+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage) -+ return; -+ -+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; -+#ifdef HAVE_TARGUSERINFO -+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL); -+#else -+ destiny->target(pskb, in, out, hooknum, destiny, NULL); -+#endif -+ return; -+} -+ -+static unsigned int xt_chaos_target(struct sk_buff **pskb, -+ const struct net_device *in, const struct net_device *out, -+ unsigned int hooknum, const struct xt_target *target, const void *targinfo -+#ifdef HAVE_TARGUSERINFO -+ , -+ void *userinfo -+#endif -+ ) -+{ -+ /* Equivalent to: -+ * -A chaos -m statistic --mode random --probability \ -+ * $reject_percentage -j REJECT --reject-with host-unreach; -+ * -A chaos -p tcp -m statistic --mode random --probability \ -+ * $delude_percentage -j DELUDE; -+ * -A chaos -j DROP; -+ */ -+ const struct xt_chaos_info *info = targinfo; -+ -+ if((unsigned int)net_random() <= reject_percentage) -+#ifdef HAVE_TARGUSERINFO -+ return xt_reject->target(pskb, in, out, hooknum, target, -+ &reject_params, userinfo); -+#else -+ return xt_reject->target(pskb, in, out, hooknum, target, -+ &reject_params); -+#endif -+ -+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ -+ if(ip_hdr(*pskb)->protocol == IPPROTO_TCP && -+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) -+ xt_chaos_total(info, pskb, in, out, hooknum); -+ -+ return NF_DROP; -+} -+ -+static bool xt_chaos_checkentry(const char *tablename, const void *entry, -+ const struct xt_target *target, void *targinfo, -+#ifdef HAVE_TARGINFOSIZE -+ unsigned int targinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ const struct xt_chaos_info *info = targinfo; -+ if(info->variant == XTCHAOS_DELUDE && !have_delude) { -+ printk(KERN_WARNING PFX "Error: Cannot use --delude when " -+ "DELUDE module not available\n"); -+ return false; -+ } -+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) { -+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " -+ "TARPIT module not available\n"); -+ return false; -+ } -+ return true; -+} -+ -+static struct xt_target xt_chaos_info = { -+ .name = "CHAOS", -+ .target = xt_chaos_target, -+ .checkentry = xt_chaos_checkentry, -+ .table = "filter", -+ .targetsize = sizeof(struct xt_chaos_info), -+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | -+ (1 << NF_IP_LOCAL_OUT), -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_chaos_init(void) -+{ -+ int ret = -EINVAL; -+ -+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); -+ if(xm_tcp == NULL) { -+ printk(KERN_WARNING PFX "Error: Could not find or load " -+ "\"tcp\" match\n"); -+ return -EINVAL; -+ } -+ -+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); -+ if(xt_reject == NULL) { -+ printk(KERN_WARNING PFX "Error: Could not find or load " -+ "\"REJECT\" target\n"); -+ goto out2; -+ } -+ -+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); -+ have_tarpit = xt_tarpit != NULL; -+ if(!have_tarpit) -+ printk(KERN_WARNING PFX "Warning: Could not find or load " -+ "\"TARPIT\" target\n"); -+ -+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); -+ have_delude = xt_delude != NULL; -+ if(!have_delude) -+ printk(KERN_WARNING PFX "Warning: Could not find or load " -+ "\"DELUDE\" target\n"); -+ -+ if((ret = xt_register_target(&xt_chaos_info)) != 0) { -+ printk(KERN_WARNING PFX "xt_register_target returned " -+ "error %d\n", ret); -+ goto out3; -+ } -+ -+ return 0; -+ -+ out3: -+ if(have_delude) -+ module_put(xt_delude->me); -+ if(have_tarpit) -+ module_put(xt_tarpit->me); -+ module_put(xt_reject->me); -+ out2: -+ module_put(xm_tcp->me); -+ return ret; -+} -+ -+static void __exit xt_chaos_exit(void) -+{ -+ xt_unregister_target(&xt_chaos_info); -+ module_put(xm_tcp->me); -+ module_put(xt_reject->me); -+ if(have_delude) -+ module_put(xt_delude->me); -+ if(have_tarpit) -+ module_put(xt_tarpit->me); -+ return; -+} -+ -+module_init(xt_chaos_init); -+module_exit(xt_chaos_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter CHAOS target"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_CHAOS"); -Index: linux-2.6.23/net/netfilter/xt_DELUDE.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/net/netfilter/xt_DELUDE.c 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,288 @@ -+/* -+ DELUDE target -+ Copyright © Jan Engelhardt , 2007 -+ -+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: -+ (C) 1999-2001 Paul `Rusty' Russell -+ (C) 2002-2004 Netfilter Core Team -+ -+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef CONFIG_BRIDGE_NETFILTER -+# include -+#endif -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+static inline struct rtable *route_reverse(struct sk_buff *skb, -+ struct tcphdr *tcph, int hook) -+{ -+ struct iphdr *iph = ip_hdr(skb); -+ struct dst_entry *odst; -+ struct flowi fl = {}; -+ struct rtable *rt; -+ -+ /* We don't require ip forwarding to be enabled to be able to -+ * send a RST reply for bridged traffic. */ -+ if (hook != NF_IP_FORWARD -+#ifdef CONFIG_BRIDGE_NETFILTER -+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED) -+#endif -+ ) { -+ fl.nl_u.ip4_u.daddr = iph->saddr; -+ if (hook == NF_IP_LOCAL_IN) -+ fl.nl_u.ip4_u.saddr = iph->daddr; -+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); -+ -+ if (ip_route_output_key(&rt, &fl) != 0) -+ return NULL; -+ } else { -+ /* non-local src, find valid iif to satisfy -+ * rp-filter when calling ip_route_input. */ -+ fl.nl_u.ip4_u.daddr = iph->daddr; -+ if (ip_route_output_key(&rt, &fl) != 0) -+ return NULL; -+ -+ odst = skb->dst; -+ if (ip_route_input(skb, iph->saddr, iph->daddr, -+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) { -+ dst_release(&rt->u.dst); -+ return NULL; -+ } -+ dst_release(&rt->u.dst); -+ rt = (struct rtable *)skb->dst; -+ skb->dst = odst; -+ -+ fl.nl_u.ip4_u.daddr = iph->saddr; -+ fl.nl_u.ip4_u.saddr = iph->daddr; -+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); -+ } -+ -+ if (rt->u.dst.error) { -+ dst_release(&rt->u.dst); -+ return NULL; -+ } -+ -+ fl.proto = IPPROTO_TCP; -+ fl.fl_ip_sport = tcph->dest; -+ fl.fl_ip_dport = tcph->source; -+ -+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0); -+ -+ return rt; -+} -+ -+static void send_reset(struct sk_buff *oldskb, int hook) -+{ -+ struct sk_buff *nskb; -+ struct iphdr *iph = ip_hdr(oldskb); -+ struct tcphdr _otcph, *oth, *tcph; -+ __be16 tmp_port; -+ __be32 tmp_addr; -+ int needs_ack; -+ unsigned int addr_type; -+ -+ /* IP header checks: fragment. */ -+ if (iph->frag_off & htons(IP_OFFSET)) -+ return; -+ -+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), -+ sizeof(_otcph), &_otcph); -+ if (oth == NULL) -+ return; -+ -+ /* No RST for RST. */ -+ if (oth->rst) -+ return; -+ -+ /* Check checksum */ -+ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) -+ return; -+ -+ /* We need a linear, writeable skb. We also need to expand -+ headroom in case hh_len of incoming interface < hh_len of -+ outgoing interface */ -+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), -+ GFP_ATOMIC); -+ if (!nskb) -+ return; -+ -+ /* This packet will not be the same as the other: clear nf fields */ -+ nf_reset(nskb); -+ nskb->nfmark = 0; -+ skb_init_secmark(nskb); -+ -+ skb_shinfo(nskb)->gso_size = 0; -+ skb_shinfo(nskb)->gso_segs = 0; -+ skb_shinfo(nskb)->gso_type = 0; -+ -+ tcph = tcp_hdr(nskb); -+ -+ /* Swap source and dest */ -+ tmp_addr = ip_hdr(nskb)->saddr; -+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr; -+ ip_hdr(nskb)->daddr = tmp_addr; -+ tmp_port = tcph->source; -+ tcph->source = tcph->dest; -+ tcph->dest = tmp_port; -+ -+ /* Truncate to length (no data) */ -+ tcph->doff = sizeof(struct tcphdr)/4; -+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); -+ ip_hdr(nskb)->tot_len = htons(nskb->len); -+ -+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) { -+ /* DELUDE essential part */ -+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + -+ oldskb->len - ip_hdrlen(oldskb) - -+ (oth->doff << 2)); -+ tcph->seq = htonl(secure_tcp_sequence_number( -+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr, -+ tcph->source, tcph->dest)); -+ tcph->ack = 1; -+ } else { -+ if(!tcph->ack) { -+ needs_ack = 1; -+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin -+ + oldskb->len - ip_hdrlen(oldskb) -+ - (oth->doff<<2)); -+ tcph->seq = 0; -+ } else { -+ needs_ack = 0; -+ tcph->seq = oth->ack_seq; -+ tcph->ack_seq = 0; -+ } -+ -+ /* Reset flags */ -+ ((u_int8_t *)tcph)[13] = 0; -+ tcph->rst = 1; -+ tcph->ack = needs_ack; -+ } -+ -+ -+ tcph->window = 0; -+ tcph->urg_ptr = 0; -+ -+ /* Adjust TCP checksum */ -+ tcph->check = 0; -+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), -+ ip_hdr(nskb)->saddr, -+ ip_hdr(nskb)->daddr, -+ csum_partial((char *)tcph, -+ sizeof(struct tcphdr), 0)); -+ -+ /* Set DF, id = 0 */ -+ ip_hdr(nskb)->frag_off = htons(IP_DF); -+ ip_hdr(nskb)->id = 0; -+ -+ addr_type = RTN_UNSPEC; -+ if (hook != NF_IP_FORWARD -+#ifdef CONFIG_BRIDGE_NETFILTER -+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED) -+#endif -+ ) -+ addr_type = RTN_LOCAL; -+ -+ if (ip_route_me_harder(&nskb, addr_type)) -+ goto free_nskb; -+ -+ nskb->ip_summed = CHECKSUM_NONE; -+ -+ /* Adjust IP TTL */ -+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); -+ -+ /* Adjust IP checksum */ -+ ip_hdr(nskb)->check = 0; -+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb), -+ ip_hdr(nskb)->ihl); -+ -+ /* "Never happens" */ -+ if (nskb->len > dst_mtu(nskb->dst)) -+ goto free_nskb; -+ -+ nf_ct_attach(nskb, oldskb); -+ -+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev, -+ dst_output); -+ return; -+ -+ free_nskb: -+ kfree_skb(nskb); -+} -+ -+static unsigned int xt_delude_target(struct sk_buff **pskb, -+ const struct net_device *in, const struct net_device *out, -+ unsigned int hooknum, const struct xt_target *target, const void *targinfo -+#ifdef HAVE_TARGUSERINFO -+ , -+ void *userinfo -+#endif -+ ) -+{ -+ /* WARNING: This code causes reentry within iptables. -+ This means that the iptables jump stack is now crap. We -+ must return an absolute verdict. --RR */ -+ send_reset(*pskb, hooknum); -+ return NF_DROP; -+} -+ -+static bool xt_delude_check(const char *tablename, const void *e_void, -+ const struct xt_target *target, void *targinfo, -+#ifdef HAVE_TARGINFOSIZE -+ unsigned int targinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) { -+ printk(KERN_WARNING PFX "DELUDE may not be used in chains " -+ "other than INPUT and FORWARD\n"); -+ return false; -+ } -+ return true; -+} -+ -+static struct xt_target xt_delude_info = { -+ .name = "DELUDE", -+ .target = xt_delude_target, -+ .checkentry = xt_delude_check, -+ .table = "filter", -+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | -+ (1 << NF_IP_LOCAL_OUT), -+ .proto = IPPROTO_TCP, -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_delude_init(void) -+{ -+ return xt_register_target(&xt_delude_info); -+} -+ -+static void __exit xt_delude_exit(void) -+{ -+ xt_unregister_target(&xt_delude_info); -+} -+ -+module_init(xt_delude_init); -+module_exit(xt_delude_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter DELUDE target"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_DELUDE"); -Index: linux-2.6.23/net/netfilter/xt_portscan.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/net/netfilter/xt_portscan.c 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,272 @@ -+/* -+ portscan match for netfilter -+ -+ Written by Jan Engelhardt, 2006 - 2007 -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+enum { -+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, -+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK, -+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG, -+}; -+ -+/* Module parameters */ -+static unsigned int -+ connmark_mask = ~0, -+ packet_mask = ~0, -+ mark_seen = 0x9, -+ mark_synrcv = 0x1, -+ mark_closed = 0x2, -+ mark_synscan = 0x3, -+ mark_estab1 = 0x4, -+ mark_estab2 = 0x5, -+ mark_cnscan = 0x6, -+ mark_grscan = 0x7, -+ mark_valid = 0x8; -+ -+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR); -+module_param(packet_mask, uint, S_IRUGO | S_IWUSR); -+module_param(mark_seen, uint, S_IRUGO | S_IWUSR); -+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR); -+module_param(mark_closed, uint, S_IRUGO | S_IWUSR); -+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR); -+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR); -+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_valid, uint, S_IRUGO | S_IWUSR); -+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark"); -+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark"); -+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state"); -+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state"); -+MODULE_PARM_DESC(mark_closed, "connmark value for closed state"); -+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state"); -+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state"); -+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state"); -+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state"); -+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state"); -+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state"); -+ -+/* TCP flag functions */ -+static inline int tflg_ack4(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK; -+} -+ -+static inline int tflg_ack6(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK; -+} -+ -+static inline int tflg_fin(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN; -+} -+ -+static inline int tflg_rst(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST; -+} -+ -+static inline int tflg_rstack(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == -+ (TCP_FLAG_ACK | TCP_FLAG_RST); -+} -+ -+static inline int tflg_syn(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN; -+} -+ -+static inline int tflg_synack(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == -+ (TCP_FLAG_SYN | TCP_FLAG_ACK); -+} -+ -+/* portscan functions */ -+static inline int xt_portscan_stealth(const struct tcphdr *th) -+{ -+ /* -+ * "Connection refused" replies to our own probes must not be matched. -+ */ -+ if(tflg_rstack(th)) -+ return 0; -+ -+ if(tflg_rst(th) && printk_ratelimit()) { -+ printk(KERN_WARNING PFX "Warning: Pure RST received\n"); -+ return 0; -+ } -+ -+ /* -+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start -+ * packets that are not associated with any connection -- this will -+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag -+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.). -+ */ -+ return !tflg_syn(th); -+} -+ -+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate, -+ int loopback, const struct tcphdr *tcph, int payload_len) -+{ -+ if(mark == mark_estab2) { -+ /* -+ * -m connmark --mark $ESTAB2 -+ */ -+ if(tflg_ack4(tcph) && payload_len == 0) -+ return mark; /* keep mark */ -+ else if(tflg_rst(tcph) || tflg_fin(tcph)) -+ return mark_grscan; -+ else -+ return mark_valid; -+ } else if(mark == mark_estab1) { -+ /* -+ * -m connmark --mark $ESTAB1 -+ */ -+ if(tflg_rst(tcph) || tflg_fin(tcph)) -+ return mark_cnscan; -+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0) -+ return mark_estab2; -+ else -+ return mark_valid; -+ } else if(mark == mark_synrcv) { -+ /* -+ * -m connmark --mark $SYN -+ */ -+ if(loopback && tflg_synack(tcph)) -+ return mark; /* keep mark */ -+ else if(loopback && tflg_rstack(tcph)) -+ return mark_closed; -+ else if(tflg_ack6(tcph)) -+ return mark_estab1; -+ else -+ return mark_synscan; -+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) { -+ /* -+ * -p tcp --syn --ctstate NEW -+ */ -+ return mark_synrcv; -+ } -+ return mark; -+} -+ -+static bool xt_portscan_match(const struct sk_buff *skb, -+ const struct net_device *in, const struct net_device *out, -+ const struct xt_match *match, const void *matchinfo, int offset, -+ unsigned int protoff, bool *hotdrop) -+{ -+ const struct xt_portscan_info *info = matchinfo; -+ enum ip_conntrack_info ctstate; -+ struct nf_conn *ctdata; -+ const struct tcphdr *tcph; -+ struct tcphdr tcph_buf; -+ -+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); -+ if(tcph == NULL) -+ return false; -+ -+ /* Check for invalid packets: -m conntrack --ctstate INVALID */ -+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { -+ if(info->match_stealth) -+ return xt_portscan_stealth(tcph); -+ /* -+ * If @ctdata is NULL, we cannot match the other scan -+ * types, return. -+ */ -+ return false; -+ } -+ -+ /* -+ * If -m portscan was previously applied to this packet, the rules we -+ * simulate must not be run through again. And for speedup, do not call -+ * it either when the connection is already VALID. -+ */ -+ if((ctdata->mark & connmark_mask) == mark_valid || -+ (skb->nfmark & packet_mask) != mark_seen) -+ { -+ unsigned int n; -+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate, -+ in == &loopback_dev, tcph, -+ skb->len - protoff - 4 * tcph->doff); -+ -+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; -+ ((struct sk_buff *)skb)->nfmark = -+ (skb->nfmark & ~packet_mask) | mark_seen; -+ } -+ -+ return (info->match_syn && ctdata->mark == mark_synscan) || -+ (info->match_cn && ctdata->mark == mark_cnscan) || -+ (info->match_gr && ctdata->mark == mark_grscan); -+} -+ -+static bool xt_portscan_checkentry(const char *tablename, const void *entry, -+ const struct xt_match *match, void *matchinfo, -+#ifdef HAVE_MATCHINFOSIZE -+ unsigned int matchinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ const struct xt_portscan_info *info = matchinfo; -+#ifdef HAVE_MATCHINFOSIZE -+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) { -+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n", -+ matchinfosize, -+ XT_ALIGN(sizeof(struct xt_portscan_info))); -+ return false; -+ } -+#endif -+ if((info->match_stealth & ~1) || (info->match_syn & ~1) || -+ (info->match_cn & ~1) || (info->match_gr & ~1)) { -+ printk(KERN_WARNING PFX "Invalid flags\n"); -+ return false; -+ } -+ return true; -+} -+ -+static struct xt_match xt_portscan = { -+ .name = "portscan", -+ .match = xt_portscan_match, -+ .checkentry = xt_portscan_checkentry, -+ .matchsize = sizeof(struct xt_portscan_info), -+ .proto = IPPROTO_TCP, -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_portscan_init(void) -+{ -+ return xt_register_match(&xt_portscan); -+} -+ -+static void __exit xt_portscan_exit(void) -+{ -+ xt_unregister_match(&xt_portscan); -+ return; -+} -+ -+module_init(xt_portscan_init); -+module_exit(xt_portscan_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter portscan match module"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_portscan"); -Index: linux-2.6.23/drivers/char/random.c -=================================================================== ---- linux-2.6.23.orig/drivers/char/random.c 2007-10-10 04:31:38.000000000 +0800 -+++ linux-2.6.23/drivers/char/random.c 2007-10-10 13:52:59.000000000 +0800 -@@ -1564,6 +1564,8 @@ - return seq; - } - -+EXPORT_SYMBOL(secure_tcp_sequence_number); -+ - /* Generate secure starting point for ephemeral IPV4 transport port search */ - u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) - { diff --git a/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables_0.8.patch b/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables_0.8.patch new file mode 100644 index 0000000000..ad9e0597bf --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables_0.8.patch @@ -0,0 +1,866 @@ +Index: linux-2.6.23.16/include/linux/netfilter/oot_conntrack.h +=================================================================== +--- /dev/null ++++ linux-2.6.23.16/include/linux/netfilter/oot_conntrack.h +@@ -0,0 +1,5 @@ ++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) ++# include ++#else /* linux-2.6.20+ */ ++# include ++#endif +Index: linux-2.6.23.16/include/linux/netfilter/oot_trans.h +=================================================================== +--- /dev/null ++++ linux-2.6.23.16/include/linux/netfilter/oot_trans.h +@@ -0,0 +1,14 @@ ++/* Out of tree workarounds */ ++#include ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) ++# define HAVE_MATCHINFOSIZE 1 ++# define HAVE_TARGUSERINFO 1 ++# define HAVE_TARGINFOSIZE 1 ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) ++# define nfmark mark ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) ++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ ++ tcp_v4_check((tcph_sz), (s), (d), (csp)) ++#endif +Index: linux-2.6.23.16/include/linux/netfilter/xt_CHAOS.h +=================================================================== +--- /dev/null ++++ linux-2.6.23.16/include/linux/netfilter/xt_CHAOS.h +@@ -0,0 +1,14 @@ ++#ifndef _LINUX_NETFILTER_XT_CHAOS_H ++#define _LINUX_NETFILTER_XT_CHAOS_H 1 ++ ++enum xt_chaos_target_variant { ++ XTCHAOS_NORMAL, ++ XTCHAOS_TARPIT, ++ XTCHAOS_DELUDE, ++}; ++ ++struct xt_chaos_target_info { ++ uint8_t variant; ++}; ++ ++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */ +Index: linux-2.6.23.16/include/linux/netfilter/xt_portscan.h +=================================================================== +--- /dev/null ++++ linux-2.6.23.16/include/linux/netfilter/xt_portscan.h +@@ -0,0 +1,8 @@ ++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H ++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1 ++ ++struct xt_portscan_match_info { ++ uint8_t match_stealth, match_syn, match_cn, match_gr; ++}; ++ ++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */ +Index: linux-2.6.23.16/net/netfilter/find_match.c +=================================================================== +--- /dev/null ++++ linux-2.6.23.16/net/netfilter/find_match.c +@@ -0,0 +1,39 @@ ++/* ++ xt_request_find_match ++ by Jan Engelhardt , 2006 - 2007 ++ ++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c: ++ Copyright (C) 2006-2006 Harald Welte ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++*/ ++#include ++#include ++#include ++#include ++ ++/* ++ * Yeah this code is sub-optimal, but the function is missing in ++ * mainline so far. -jengelh ++ */ ++static struct xt_match *xt_request_find_match_lo(int af, const char *name, ++ u8 revision) ++{ ++ static const char *const xt_prefix[] = { ++ [AF_INET] = "ip", ++ [AF_INET6] = "ip6", ++ [NF_ARP] = "arp", ++ }; ++ struct xt_match *match; ++ ++ match = try_then_request_module(xt_find_match(af, name, revision), ++ "%st_%s", xt_prefix[af], name); ++ if (IS_ERR(match) || match == NULL) ++ return NULL; ++ ++ return match; ++} ++ ++/* In case it goes into mainline, let this out-of-tree package compile */ ++#define xt_request_find_match xt_request_find_match_lo +Index: linux-2.6.23.16/net/netfilter/Kconfig +=================================================================== +--- linux-2.6.23.16.orig/net/netfilter/Kconfig ++++ linux-2.6.23.16/net/netfilter/Kconfig +@@ -265,6 +265,14 @@ config NETFILTER_XTABLES + + # alphabetically ordered list of targets + ++config NETFILTER_XT_TARGET_CHAOS ++ tristate '"CHAOS" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `CHAOS' target. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_TARGET_CLASSIFY + tristate '"CLASSIFY" target support' + depends on NETFILTER_XTABLES +@@ -292,6 +300,14 @@ config NETFILTER_XT_TARGET_CONNMARK + . The module will be called + ipt_CONNMARK.ko. If unsure, say `N'. + ++config NETFILTER_XT_TARGET_DELUDE ++ tristate '"DELUDE" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `DELUDE' target. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_TARGET_DSCP + tristate '"DSCP" target support' + depends on NETFILTER_XTABLES +@@ -556,6 +572,14 @@ config NETFILTER_XT_MATCH_POLICY + + To compile it as a module, choose M here. If unsure, say N. + ++config NETFILTER_XT_MATCH_PORTSCAN ++ tristate '"portscan" match support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a 'portscan' match support. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_MATCH_MULTIPORT + tristate "Multiple port match support" + depends on NETFILTER_XTABLES +Index: linux-2.6.23.16/net/netfilter/Makefile +=================================================================== +--- linux-2.6.23.16.orig/net/netfilter/Makefile ++++ linux-2.6.23.16/net/netfilter/Makefile +@@ -49,6 +49,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) + obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o + obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o + obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o + + # matches + obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o +@@ -78,3 +80,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) + obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o + obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o + obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o ++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o +Index: linux-2.6.23.16/net/netfilter/xt_CHAOS.c +=================================================================== +--- /dev/null ++++ linux-2.6.23.16/net/netfilter/xt_CHAOS.c +@@ -0,0 +1,200 @@ ++/* ++ * CHAOS target for netfilter ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#if defined(_LOCAL) ++# include "xt_CHAOS.h" ++# include "find_match.c" ++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \ ++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE) ++# include ++# include "find_match.c" ++#else ++# include "xt_CHAOS.h" ++# include "find_match.c" ++#endif ++#define PFX KBUILD_MODNAME ": " ++ ++/* Module parameters */ ++static unsigned int reject_percentage = ~0U * .01; ++static unsigned int delude_percentage = ~0U * .0101; ++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR); ++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR); ++ ++/* References to other matches/targets */ ++static struct xt_match *xm_tcp; ++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; ++ ++static int have_delude, have_tarpit; ++ ++/* Static data for other matches/targets */ ++static const struct ipt_reject_info reject_params = { ++ .with = ICMP_HOST_UNREACH, ++}; ++ ++static const struct xt_tcp tcp_params = { ++ .spts = {0, ~0}, ++ .dpts = {0, ~0}, ++}; ++ ++/* CHAOS functions */ ++static void xt_chaos_total(const struct xt_chaos_target_info *info, ++ struct sk_buff **pskb, const struct net_device *in, ++ const struct net_device *out, unsigned int hooknum) ++{ ++ const struct iphdr *iph = ip_hdr(*pskb); ++ const int protoff = 4 * iph->ihl; ++ const int offset = ntohs(iph->frag_off) & IP_OFFSET; ++ const struct xt_target *destiny; ++ bool hotdrop = false, ret; ++ ++ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params, ++ offset, protoff, &hotdrop); ++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage) ++ return; ++ ++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; ++ destiny->target(pskb, in, out, hooknum, destiny, NULL); ++ return; ++} ++ ++static unsigned int chaos_tg(struct sk_buff **pskb, ++ const struct net_device *in, const struct net_device *out, ++ unsigned int hooknum, const struct xt_target *target, const void *targinfo) ++{ ++ /* ++ * Equivalent to: ++ * -A chaos -m statistic --mode random --probability \ ++ * $reject_percentage -j REJECT --reject-with host-unreach; ++ * -A chaos -p tcp -m statistic --mode random --probability \ ++ * $delude_percentage -j DELUDE; ++ * -A chaos -j DROP; ++ */ ++ const struct xt_chaos_target_info *info = targinfo; ++ const struct iphdr *iph = ip_hdr(*pskb); ++ ++ if ((unsigned int)net_random() <= reject_percentage) ++ return xt_reject->target(pskb, in, out, hooknum, target, ++ &reject_params); ++ ++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ ++ if (iph->protocol == IPPROTO_TCP && ++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) ++ xt_chaos_total(info, pskb, in, out, hooknum); ++ ++ return NF_DROP; ++} ++ ++static bool chaos_tg_check(const char *tablename, const void *entry, ++ const struct xt_target *target, void *targinfo, unsigned int hook_mask) ++{ ++ const struct xt_chaos_target_info *info = targinfo; ++ ++ if (info->variant == XTCHAOS_DELUDE && !have_delude) { ++ printk(KERN_WARNING PFX "Error: Cannot use --delude when " ++ "DELUDE module not available\n"); ++ return false; ++ } ++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) { ++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " ++ "TARPIT module not available\n"); ++ return false; ++ } ++ ++ return true; ++} ++ ++static struct xt_target chaos_tg_reg = { ++ .name = "CHAOS", ++ .family = AF_INET, ++ .table = "filter", ++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | ++ (1 << NF_IP_LOCAL_OUT), ++ .checkentry = chaos_tg_check, ++ .target = chaos_tg, ++ .targetsize = sizeof(struct xt_chaos_target_info), ++ .me = THIS_MODULE, ++}; ++ ++static int __init chaos_tg_init(void) ++{ ++ int ret = -EINVAL; ++ ++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); ++ if (xm_tcp == NULL) { ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"tcp\" match\n"); ++ return -EINVAL; ++ } ++ ++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); ++ if (xt_reject == NULL) { ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"REJECT\" target\n"); ++ goto out2; ++ } ++ ++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); ++ have_tarpit = xt_tarpit != NULL; ++ if (!have_tarpit) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"TARPIT\" target\n"); ++ ++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); ++ have_delude = xt_delude != NULL; ++ if (!have_delude) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"DELUDE\" target\n"); ++ ++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) { ++ printk(KERN_WARNING PFX "xt_register_target returned " ++ "error %d\n", ret); ++ goto out3; ++ } ++ ++ return 0; ++ ++ out3: ++ if (have_delude) ++ module_put(xt_delude->me); ++ if (have_tarpit) ++ module_put(xt_tarpit->me); ++ module_put(xt_reject->me); ++ out2: ++ module_put(xm_tcp->me); ++ return ret; ++} ++ ++static void __exit chaos_tg_exit(void) ++{ ++ xt_unregister_target(&chaos_tg_reg); ++ module_put(xm_tcp->me); ++ module_put(xt_reject->me); ++ if (have_delude) ++ module_put(xt_delude->me); ++ if (have_tarpit) ++ module_put(xt_tarpit->me); ++ return; ++} ++ ++module_init(chaos_tg_init); ++module_exit(chaos_tg_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"CHAOS\" target"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_CHAOS"); +Index: linux-2.6.23.16/net/netfilter/xt_DELUDE.c +=================================================================== +--- /dev/null ++++ linux-2.6.23.16/net/netfilter/xt_DELUDE.c +@@ -0,0 +1,197 @@ ++/* ++ * DELUDE target ++ * Copyright © CC Computer Consultants GmbH, 2007 ++ * Contact: Jan Engelhardt ++ * ++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: ++ * (C) 1999-2001 Paul `Rusty' Russell ++ * (C) 2002-2004 Netfilter Core Team ++ * ++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#ifdef CONFIG_BRIDGE_NETFILTER ++# include ++#endif ++#include ++#define PFX KBUILD_MODNAME ": " ++ ++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook) ++{ ++ struct tcphdr _otcph, *oth, *tcph; ++ unsigned int addr_type; ++ struct sk_buff *nskb; ++ u_int16_t tmp_port; ++ u_int32_t tmp_addr; ++ struct iphdr *niph; ++ bool needs_ack; ++ ++ /* IP header checks: fragment. */ ++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) ++ return; ++ ++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), ++ sizeof(_otcph), &_otcph); ++ if (oth == NULL) ++ return; ++ ++ /* No RST for RST. */ ++ if (oth->rst) ++ return; ++ ++ /* Check checksum */ ++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) ++ return; ++ ++ /* We need a linear, writeable skb. We also need to expand ++ headroom in case hh_len of incoming interface < hh_len of ++ outgoing interface */ ++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), ++ GFP_ATOMIC); ++ if (!nskb) ++ return; ++ ++ /* This packet will not be the same as the other: clear nf fields */ ++ nf_reset(nskb); ++ nskb->mark = 0; ++ skb_init_secmark(nskb); ++ ++ skb_shinfo(nskb)->gso_size = 0; ++ skb_shinfo(nskb)->gso_segs = 0; ++ skb_shinfo(nskb)->gso_type = 0; ++ ++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb)); ++ ++ /* Swap source and dest */ ++ niph = ip_hdr(nskb); ++ tmp_addr = niph->saddr; ++ niph->saddr = niph->daddr; ++ niph->daddr = tmp_addr; ++ tmp_port = tcph->source; ++ tcph->source = tcph->dest; ++ tcph->dest = tmp_port; ++ ++ /* Truncate to length (no data) */ ++ tcph->doff = sizeof(struct tcphdr) / 4; ++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); ++ niph->tot_len = htons(nskb->len); ++ ++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) { ++ /* DELUDE essential part */ ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + ++ oldskb->len - ip_hdrlen(oldskb) - ++ (oth->doff << 2)); ++ tcph->seq = false; ++ tcph->ack = true; ++ } else { ++ if (!tcph->ack) { ++ needs_ack = true; ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + ++ oth->fin + oldskb->len - ++ ip_hdrlen(oldskb) - (oth->doff<<2)); ++ tcph->seq = false; ++ } else { ++ needs_ack = false; ++ tcph->seq = oth->ack_seq; ++ tcph->ack_seq = false; ++ } ++ ++ /* Reset flags */ ++ ((u_int8_t *)tcph)[13] = 0; ++ tcph->rst = true; ++ tcph->ack = needs_ack; ++ } ++ ++ tcph->window = 0; ++ tcph->urg_ptr = 0; ++ ++ /* Adjust TCP checksum */ ++ tcph->check = 0; ++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr, ++ niph->daddr, csum_partial((char *)tcph, ++ sizeof(struct tcphdr), 0)); ++ ++ /* Set DF, id = 0 */ ++ niph->frag_off = htons(IP_DF); ++ niph->id = 0; ++ ++ addr_type = RTN_UNSPEC; ++#ifdef CONFIG_BRIDGE_NETFILTER ++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL && ++ nskb->nf_bridge->mask & BRNF_BRIDGED)) ++#else ++ if (hook != NF_IP_FORWARD) ++#endif ++ addr_type = RTN_LOCAL; ++ ++ if (ip_route_me_harder(&nskb, addr_type)) ++ goto free_nskb; ++ ++ nskb->ip_summed = CHECKSUM_NONE; ++ ++ /* Adjust IP TTL */ ++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); ++ ++ /* Adjust IP checksum */ ++ niph->check = 0; ++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl); ++ ++ /* "Never happens" */ ++ if (nskb->len > dst_mtu(nskb->dst)) ++ goto free_nskb; ++ ++ nf_ct_attach(nskb, oldskb); ++ ++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev, ++ dst_output); ++ return; ++ ++ free_nskb: ++ kfree_skb(nskb); ++} ++ ++static unsigned int delude_tg(struct sk_buff **pskb, ++ const struct net_device *in, const struct net_device *out, ++ unsigned int hooknum, const struct xt_target *target, const void *targinfo) ++{ ++ /* WARNING: This code causes reentry within iptables. ++ This means that the iptables jump stack is now crap. We ++ must return an absolute verdict. --RR */ ++ delude_send_reset(*pskb, hooknum); ++ return NF_DROP; ++} ++ ++static struct xt_target delude_tg_reg = { ++ .name = "DELUDE", ++ .family = AF_INET, ++ .table = "filter", ++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD), ++ .target = delude_tg, ++ .proto = IPPROTO_TCP, ++ .me = THIS_MODULE, ++}; ++ ++static int __init delude_tg_init(void) ++{ ++ return xt_register_target(&delude_tg_reg); ++} ++ ++static void __exit delude_tg_exit(void) ++{ ++ xt_unregister_target(&delude_tg_reg); ++} ++ ++module_init(delude_tg_init); ++module_exit(delude_tg_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"DELUDE\" target"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_DELUDE"); +Index: linux-2.6.23.16/net/netfilter/xt_portscan.c +=================================================================== +--- /dev/null ++++ linux-2.6.23.16/net/netfilter/xt_portscan.c +@@ -0,0 +1,269 @@ ++/* ++ * portscan match for netfilter ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#if defined(_LOCAL) ++# include "xt_portscan.h" ++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \ ++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE) ++# include ++#else ++# include "xt_portscan.h" ++#endif ++#define PFX KBUILD_MODNAME ": " ++ ++enum { ++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, ++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK, ++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG, ++}; ++ ++/* Module parameters */ ++static unsigned int ++ connmark_mask = ~0, ++ packet_mask = ~0, ++ mark_seen = 0x9, ++ mark_synrcv = 0x1, ++ mark_closed = 0x2, ++ mark_synscan = 0x3, ++ mark_estab1 = 0x4, ++ mark_estab2 = 0x5, ++ mark_cnscan = 0x6, ++ mark_grscan = 0x7, ++ mark_valid = 0x8; ++ ++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR); ++module_param(packet_mask, uint, S_IRUGO | S_IWUSR); ++module_param(mark_seen, uint, S_IRUGO | S_IWUSR); ++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR); ++module_param(mark_closed, uint, S_IRUGO | S_IWUSR); ++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR); ++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR); ++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_valid, uint, S_IRUGO | S_IWUSR); ++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark"); ++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark"); ++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state"); ++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state"); ++MODULE_PARM_DESC(mark_closed, "connmark value for closed state"); ++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state"); ++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state"); ++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state"); ++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state"); ++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state"); ++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state"); ++ ++/* TCP flag functions */ ++static inline bool tflg_ack4(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK; ++} ++ ++static inline bool tflg_ack6(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK; ++} ++ ++static inline bool tflg_fin(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN; ++} ++ ++static inline bool tflg_rst(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST; ++} ++ ++static inline bool tflg_rstack(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == ++ (TCP_FLAG_ACK | TCP_FLAG_RST); ++} ++ ++static inline bool tflg_syn(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN; ++} ++ ++static inline bool tflg_synack(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == ++ (TCP_FLAG_SYN | TCP_FLAG_ACK); ++} ++ ++/* portscan functions */ ++static inline bool portscan_mt_stealth(const struct tcphdr *th) ++{ ++ /* ++ * "Connection refused" replies to our own probes must not be matched. ++ */ ++ if (tflg_rstack(th)) ++ return false; ++ ++ if (tflg_rst(th) && printk_ratelimit()) { ++ printk(KERN_WARNING PFX "Warning: Pure RST received\n"); ++ return false; ++ } ++ ++ /* ++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start ++ * packets that are not associated with any connection -- this will ++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag ++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.). ++ */ ++ return !tflg_syn(th); ++} ++ ++static inline unsigned int portscan_mt_full(int mark, ++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph, ++ unsigned int payload_len) ++{ ++ if (mark == mark_estab2) { ++ /* ++ * -m connmark --mark $ESTAB2 ++ */ ++ if (tflg_ack4(tcph) && payload_len == 0) ++ return mark; /* keep mark */ ++ else if (tflg_rst(tcph) || tflg_fin(tcph)) ++ return mark_grscan; ++ else ++ return mark_valid; ++ } else if (mark == mark_estab1) { ++ /* ++ * -m connmark --mark $ESTAB1 ++ */ ++ if (tflg_rst(tcph) || tflg_fin(tcph)) ++ return mark_cnscan; ++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0) ++ return mark_estab2; ++ else ++ return mark_valid; ++ } else if (mark == mark_synrcv) { ++ /* ++ * -m connmark --mark $SYN ++ */ ++ if (loopback && tflg_synack(tcph)) ++ return mark; /* keep mark */ ++ else if (loopback && tflg_rstack(tcph)) ++ return mark_closed; ++ else if (tflg_ack6(tcph)) ++ return mark_estab1; ++ else ++ return mark_synscan; ++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) { ++ /* ++ * -p tcp --syn --ctstate NEW ++ */ ++ return mark_synrcv; ++ } ++ return mark; ++} ++ ++static bool portscan_mt(const struct sk_buff *skb, ++ const struct net_device *in, const struct net_device *out, ++ const struct xt_match *match, const void *matchinfo, int offset, ++ unsigned int protoff, bool *hotdrop) ++{ ++ const struct xt_portscan_match_info *info = matchinfo; ++ enum ip_conntrack_info ctstate; ++ const struct tcphdr *tcph; ++ struct nf_conn *ctdata; ++ struct tcphdr tcph_buf; ++ ++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); ++ if (tcph == NULL) ++ return false; ++ ++ /* Check for invalid packets: -m conntrack --ctstate INVALID */ ++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { ++ if (info->match_stealth) ++ return portscan_mt_stealth(tcph); ++ /* ++ * If @ctdata is NULL, we cannot match the other scan ++ * types, return. ++ */ ++ return false; ++ } ++ ++ /* ++ * If -m portscan was previously applied to this packet, the rules we ++ * simulate must not be run through again. And for speedup, do not call ++ * it either when the connection is already VALID. ++ */ ++ if ((ctdata->mark & connmark_mask) == mark_valid || ++ (skb->mark & packet_mask) != mark_seen) { ++ unsigned int n; ++ ++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate, ++ in == &loopback_dev, tcph, ++ skb->len - protoff - 4 * tcph->doff); ++ ++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; ++ ((struct sk_buff *)skb)->mark = ++ (skb->mark & ~packet_mask) ^ mark_seen; ++ } ++ ++ return (info->match_syn && ctdata->mark == mark_synscan) || ++ (info->match_cn && ctdata->mark == mark_cnscan) || ++ (info->match_gr && ctdata->mark == mark_grscan); ++} ++ ++static bool portscan_mt_check(const char *tablename, const void *entry, ++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask) ++{ ++ const struct xt_portscan_match_info *info = matchinfo; ++ ++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) || ++ (info->match_cn & ~1) || (info->match_gr & ~1)) { ++ printk(KERN_WARNING PFX "Invalid flags\n"); ++ return false; ++ } ++ return true; ++} ++ ++static struct xt_match portscan_mt_reg __read_mostly = { ++ .name = "portscan", ++ .family = AF_INET, ++ .match = portscan_mt, ++ .checkentry = portscan_mt_check, ++ .matchsize = sizeof(struct xt_portscan_match_info), ++ .proto = IPPROTO_TCP, ++ .me = THIS_MODULE, ++}; ++ ++static int __init portscan_mt_init(void) ++{ ++ return xt_register_match(&portscan_mt_reg); ++} ++ ++static void __exit portscan_mt_exit(void) ++{ ++ xt_unregister_match(&portscan_mt_reg); ++ return; ++} ++ ++module_init(portscan_mt_init); ++module_exit(portscan_mt_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"portscan\" match"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_portscan"); +Index: linux-2.6.23.16/drivers/char/random.c +=================================================================== +--- linux-2.6.23.16.orig/drivers/char/random.c ++++ linux-2.6.23.16/drivers/char/random.c +@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32 + return seq; + } + ++EXPORT_SYMBOL(secure_tcp_sequence_number); ++ + /* Generate secure starting point for ephemeral IPV4 transport port search */ + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) + { diff --git a/target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch b/target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch index 058dda5c28..073951a15c 100644 --- a/target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch +++ b/target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch @@ -1,7 +1,7 @@ -Index: linux-2.6.23/net/netfilter/Kconfig +Index: linux-2.6.23.16/net/netfilter/Kconfig =================================================================== ---- linux-2.6.23.orig/net/netfilter/Kconfig -+++ linux-2.6.23/net/netfilter/Kconfig +--- linux-2.6.23.16.orig/net/netfilter/Kconfig ++++ linux-2.6.23.16/net/netfilter/Kconfig @@ -401,6 +401,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK To compile it as a module, choose M here. If unsure, say N. @@ -26,22 +26,22 @@ Index: linux-2.6.23/net/netfilter/Kconfig config NETFILTER_XT_TARGET_TCPMSS tristate '"TCPMSS" target support' depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) -Index: linux-2.6.23/net/netfilter/Makefile +Index: linux-2.6.23.16/net/netfilter/Makefile =================================================================== ---- linux-2.6.23.orig/net/netfilter/Makefile -+++ linux-2.6.23/net/netfilter/Makefile -@@ -49,6 +49,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) +--- linux-2.6.23.16.orig/net/netfilter/Makefile ++++ linux-2.6.23.16/net/netfilter/Makefile +@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o +obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o - -Index: linux-2.6.23/net/netfilter/xt_TARPIT.c + obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o +Index: linux-2.6.23.16/net/netfilter/xt_TARPIT.c =================================================================== --- /dev/null -+++ linux-2.6.23/net/netfilter/xt_TARPIT.c ++++ linux-2.6.23.16/net/netfilter/xt_TARPIT.c @@ -0,0 +1,280 @@ +/* + * Kernel module to capture and hold incoming TCP connections using diff --git a/target/linux/generic-2.6/patches-2.6.24/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.24/101-netfilter_layer7_pktmatch.patch new file mode 100644 index 0000000000..9605e4fa62 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.24/101-netfilter_layer7_pktmatch.patch @@ -0,0 +1,113 @@ +Index: linux-2.6.24/include/linux/netfilter/xt_layer7.h +=================================================================== +--- linux-2.6.24.orig/include/linux/netfilter/xt_layer7.h ++++ linux-2.6.24/include/linux/netfilter/xt_layer7.h +@@ -8,6 +8,7 @@ struct xt_layer7_info { + char protocol[MAX_PROTOCOL_LEN]; + char pattern[MAX_PATTERN_LEN]; + u_int8_t invert; ++ u_int8_t pkt; + }; + + #endif /* _XT_LAYER7_H */ +Index: linux-2.6.24/net/netfilter/xt_layer7.c +=================================================================== +--- linux-2.6.24.orig/net/netfilter/xt_layer7.c ++++ linux-2.6.24/net/netfilter/xt_layer7.c +@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con + } + + /* add the new app data to the conntrack. Return number of bytes added. */ +-static int add_data(struct nf_conn * master_conntrack, +- char * app_data, int appdatalen) ++static int add_datastr(char *target, int offset, char *app_data, int len) + { + int length = 0, i; +- int oldlength = master_conntrack->layer7.app_data_len; +- +- /* This is a fix for a race condition by Deti Fliegl. However, I'm not +- clear on whether the race condition exists or whether this really +- fixes it. I might just be being dense... Anyway, if it's not really +- a fix, all it does is waste a very small amount of time. */ +- if(!master_conntrack->layer7.app_data) return 0; ++ ++ if (!target) return 0; + + /* Strip nulls. Make everything lower case (our regex lib doesn't + do case insensitivity). Add it to the end of the current data. */ +- for(i = 0; i < maxdatalen-oldlength-1 && +- i < appdatalen; i++) { ++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) { + if(app_data[i] != '\0') { + /* the kernel version of tolower mungs 'upper ascii' */ +- master_conntrack->layer7.app_data[length+oldlength] = ++ target[length+offset] = + isascii(app_data[i])? + tolower(app_data[i]) : app_data[i]; + length++; + } + } ++ target[length+offset] = '\0'; ++ ++ return length; ++} + +- master_conntrack->layer7.app_data[length+oldlength] = '\0'; +- master_conntrack->layer7.app_data_len = length + oldlength; ++/* add the new app data to the conntrack. Return number of bytes added. */ ++static int add_data(struct nf_conn * master_conntrack, ++ char * app_data, int appdatalen) ++{ ++ int length; + ++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen); ++ master_conntrack->layer7.app_data_len += length; + return length; + } + +@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin, + const struct xt_layer7_info * info = matchinfo; + enum ip_conntrack_info master_ctinfo, ctinfo; + struct nf_conn *master_conntrack, *conntrack; +- unsigned char * app_data; ++ unsigned char *app_data, *tmp_data; + unsigned int pattern_result, appdatalen; + regexp * comppattern; + +@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin, + master_conntrack = master_ct(master_conntrack); + + /* if we've classified it or seen too many packets */ +- if(TOTAL_PACKETS > num_packets || +- master_conntrack->layer7.app_proto) { ++ if(!info->pkt && (TOTAL_PACKETS > num_packets || ++ master_conntrack->layer7.app_proto)) { + + pattern_result = match_no_append(conntrack, master_conntrack, + ctinfo, master_ctinfo, info); +@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin, + /* the return value gets checked later, when we're ready to use it */ + comppattern = compile_and_cache(info->pattern, info->protocol); + ++ if (info->pkt) { ++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC); ++ if(!tmp_data){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); ++ return info->invert; ++ } ++ ++ tmp_data[0] = '\0'; ++ add_datastr(tmp_data, 0, app_data, appdatalen); ++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0); ++ ++ kfree(tmp_data); ++ tmp_data = NULL; ++ spin_unlock_bh(&l7_lock); ++ ++ return (pattern_result ^ info->invert); ++ } ++ + /* On the first packet of a connection, allocate space for app data */ + if(TOTAL_PACKETS == 1 && !skb->cb[0] && + !master_conntrack->layer7.app_data){ diff --git a/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables.patch deleted file mode 100644 index b55aeb1eb3..0000000000 --- a/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables.patch +++ /dev/null @@ -1,965 +0,0 @@ -Index: linux-2.6.23/include/linux/netfilter/oot_conntrack.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/include/linux/netfilter/oot_conntrack.h 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,5 @@ -+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) -+# include -+#else /* linux-2.6.20+ */ -+# include -+#endif -Index: linux-2.6.23/include/linux/netfilter/oot_trans.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/include/linux/netfilter/oot_trans.h 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,14 @@ -+/* Out of tree workarounds */ -+#include -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) -+# define HAVE_MATCHINFOSIZE 1 -+# define HAVE_TARGUSERINFO 1 -+# define HAVE_TARGINFOSIZE 1 -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) -+# define nfmark mark -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) -+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ -+ tcp_v4_check((tcph_sz), (s), (d), (csp)) -+#endif -Index: linux-2.6.23/include/linux/netfilter/xt_CHAOS.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/include/linux/netfilter/xt_CHAOS.h 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,14 @@ -+#ifndef _LINUX_XT_CHAOS_H -+#define _LINUX_XT_CHAOS_H 1 -+ -+enum xt_chaos_variant { -+ XTCHAOS_NORMAL, -+ XTCHAOS_TARPIT, -+ XTCHAOS_DELUDE, -+}; -+ -+struct xt_chaos_info { -+ enum xt_chaos_variant variant; -+}; -+ -+#endif /* _LINUX_XT_CHAOS_H */ -Index: linux-2.6.23/include/linux/netfilter/xt_portscan.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/include/linux/netfilter/xt_portscan.h 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,8 @@ -+#ifndef _LINUX_XT_PORTSCAN_H -+#define _LINUX_XT_PORTSCAN_H 1 -+ -+struct xt_portscan_info { -+ unsigned int match_stealth, match_syn, match_cn, match_gr; -+}; -+ -+#endif /* _LINUX_XT_PORTSCAN_H */ -Index: linux-2.6.23/net/netfilter/find_match.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/net/netfilter/find_match.c 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,39 @@ -+/* -+ xt_request_find_match -+ by Jan Engelhardt , 2006 - 2007 -+ -+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c: -+ Copyright (C) 2006-2006 Harald Welte -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+ -+/* -+ * Yeah this code is sub-optimal, but the function is missing in -+ * mainline so far. -jengelh -+ */ -+static struct xt_match *xt_request_find_match_lo(int af, const char *name, -+ u8 revision) -+{ -+ static const char *const xt_prefix[] = { -+ [AF_INET] = "ip", -+ [AF_INET6] = "ip6", -+ [NF_ARP] = "arp", -+ }; -+ struct xt_match *match; -+ -+ match = try_then_request_module(xt_find_match(af, name, revision), -+ "%st_%s", xt_prefix[af], name); -+ if(IS_ERR(match) || match == NULL) -+ return NULL; -+ -+ return match; -+} -+ -+/* In case it goes into mainline, let this out-of-tree package compile */ -+#define xt_request_find_match xt_request_find_match_lo -Index: linux-2.6.23/net/netfilter/Kconfig -=================================================================== ---- linux-2.6.23.orig/net/netfilter/Kconfig 2007-10-10 04:31:38.000000000 +0800 -+++ linux-2.6.23/net/netfilter/Kconfig 2007-10-10 13:53:04.000000000 +0800 -@@ -265,6 +265,14 @@ - - # alphabetically ordered list of targets - -+config NETFILTER_XT_TARGET_CHAOS -+ tristate '"CHAOS" target support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a `CHAOS' target. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_TARGET_CLASSIFY - tristate '"CLASSIFY" target support' - depends on NETFILTER_XTABLES -@@ -292,6 +300,14 @@ - . The module will be called - ipt_CONNMARK.ko. If unsure, say `N'. - -+config NETFILTER_XT_TARGET_DELUDE -+ tristate '"DELUDE" target support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a `DELUDE' target. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_TARGET_DSCP - tristate '"DSCP" target support' - depends on NETFILTER_XTABLES -@@ -556,6 +572,14 @@ - - To compile it as a module, choose M here. If unsure, say N. - -+config NETFILTER_XT_MATCH_PORTSCAN -+ tristate '"portscan" match support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a 'portscan' match support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_MATCH_MULTIPORT - tristate "Multiple port match support" - depends on NETFILTER_XTABLES -Index: linux-2.6.23/net/netfilter/Makefile -=================================================================== ---- linux-2.6.23.orig/net/netfilter/Makefile 2007-10-10 04:31:38.000000000 +0800 -+++ linux-2.6.23/net/netfilter/Makefile 2007-10-10 13:52:59.000000000 +0800 -@@ -49,6 +49,8 @@ - obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o - obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o - obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o -+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o -+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o - - # matches - obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o -@@ -79,3 +81,4 @@ - obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o - obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o - obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o -+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o -Index: linux-2.6.23/net/netfilter/xt_CHAOS.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/net/netfilter/xt_CHAOS.c 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,205 @@ -+/* -+ CHAOS target for netfilter -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "find_match.c" -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+/* Module parameters */ -+static unsigned int reject_percentage = ~0U * .01; -+static unsigned int delude_percentage = ~0U * .0101; -+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR); -+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR); -+ -+/* References to other matches/targets */ -+static struct xt_match *xm_tcp; -+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; -+ -+static int have_delude, have_tarpit; -+ -+/* Static data for other matches/targets */ -+static const struct ipt_reject_info reject_params = { -+ .with = ICMP_HOST_UNREACH, -+}; -+ -+static const struct xt_tcp tcp_params = { -+ .spts = {0, ~0}, -+ .dpts = {0, ~0}, -+}; -+ -+/* CHAOS functions */ -+static void xt_chaos_total(const struct xt_chaos_info *info, -+ struct sk_buff *skb, const struct net_device *in, -+ const struct net_device *out, unsigned int hooknum) -+{ -+ const int protoff = ip_hdrlen(skb); -+ const int offset = ntohs(ip_hdr(skb)->frag_off) & IP_OFFSET; -+ const struct xt_target *destiny; -+ bool hotdrop = false; -+ int ret; -+ -+ ret = xm_tcp->match(skb, in, out, xm_tcp, &tcp_params, -+ offset, protoff, &hotdrop); -+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage) -+ return; -+ -+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; -+#ifdef HAVE_TARGUSERINFO -+ destiny->target(skb, in, out, hooknum, destiny, NULL, NULL); -+#else -+ destiny->target(skb, in, out, hooknum, destiny, NULL); -+#endif -+ return; -+} -+ -+static unsigned int xt_chaos_target(struct sk_buff *skb, -+ const struct net_device *in, const struct net_device *out, -+ unsigned int hooknum, const struct xt_target *target, const void *targinfo -+#ifdef HAVE_TARGUSERINFO -+ , -+ void *userinfo -+#endif -+ ) -+{ -+ /* Equivalent to: -+ * -A chaos -m statistic --mode random --probability \ -+ * $reject_percentage -j REJECT --reject-with host-unreach; -+ * -A chaos -p tcp -m statistic --mode random --probability \ -+ * $delude_percentage -j DELUDE; -+ * -A chaos -j DROP; -+ */ -+ const struct xt_chaos_info *info = targinfo; -+ -+ if((unsigned int)net_random() <= reject_percentage) -+#ifdef HAVE_TARGUSERINFO -+ return xt_reject->target(skb, in, out, hooknum, target, -+ &reject_params, userinfo); -+#else -+ return xt_reject->target(skb, in, out, hooknum, target, -+ &reject_params); -+#endif -+ -+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ -+ if(ip_hdr(skb)->protocol == IPPROTO_TCP && -+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) -+ xt_chaos_total(info, skb, in, out, hooknum); -+ -+ return NF_DROP; -+} -+ -+static bool xt_chaos_checkentry(const char *tablename, const void *entry, -+ const struct xt_target *target, void *targinfo, -+#ifdef HAVE_TARGINFOSIZE -+ unsigned int targinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ const struct xt_chaos_info *info = targinfo; -+ if(info->variant == XTCHAOS_DELUDE && !have_delude) { -+ printk(KERN_WARNING PFX "Error: Cannot use --delude when " -+ "DELUDE module not available\n"); -+ return false; -+ } -+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) { -+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " -+ "TARPIT module not available\n"); -+ return false; -+ } -+ return true; -+} -+ -+static struct xt_target xt_chaos_info = { -+ .name = "CHAOS", -+ .target = xt_chaos_target, -+ .checkentry = xt_chaos_checkentry, -+ .table = "filter", -+ .targetsize = sizeof(struct xt_chaos_info), -+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | -+ (1 << NF_IP_LOCAL_OUT), -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_chaos_init(void) -+{ -+ int ret = -EINVAL; -+ -+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); -+ if(xm_tcp == NULL) { -+ printk(KERN_WARNING PFX "Error: Could not find or load " -+ "\"tcp\" match\n"); -+ return -EINVAL; -+ } -+ -+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); -+ if(xt_reject == NULL) { -+ printk(KERN_WARNING PFX "Error: Could not find or load " -+ "\"REJECT\" target\n"); -+ goto out2; -+ } -+ -+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); -+ have_tarpit = xt_tarpit != NULL; -+ if(!have_tarpit) -+ printk(KERN_WARNING PFX "Warning: Could not find or load " -+ "\"TARPIT\" target\n"); -+ -+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); -+ have_delude = xt_delude != NULL; -+ if(!have_delude) -+ printk(KERN_WARNING PFX "Warning: Could not find or load " -+ "\"DELUDE\" target\n"); -+ -+ if((ret = xt_register_target(&xt_chaos_info)) != 0) { -+ printk(KERN_WARNING PFX "xt_register_target returned " -+ "error %d\n", ret); -+ goto out3; -+ } -+ -+ return 0; -+ -+ out3: -+ if(have_delude) -+ module_put(xt_delude->me); -+ if(have_tarpit) -+ module_put(xt_tarpit->me); -+ module_put(xt_reject->me); -+ out2: -+ module_put(xm_tcp->me); -+ return ret; -+} -+ -+static void __exit xt_chaos_exit(void) -+{ -+ xt_unregister_target(&xt_chaos_info); -+ module_put(xm_tcp->me); -+ module_put(xt_reject->me); -+ if(have_delude) -+ module_put(xt_delude->me); -+ if(have_tarpit) -+ module_put(xt_tarpit->me); -+ return; -+} -+ -+module_init(xt_chaos_init); -+module_exit(xt_chaos_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter CHAOS target"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_CHAOS"); -Index: linux-2.6.23/net/netfilter/xt_DELUDE.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/net/netfilter/xt_DELUDE.c 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,288 @@ -+/* -+ DELUDE target -+ Copyright © Jan Engelhardt , 2007 -+ -+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: -+ (C) 1999-2001 Paul `Rusty' Russell -+ (C) 2002-2004 Netfilter Core Team -+ -+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef CONFIG_BRIDGE_NETFILTER -+# include -+#endif -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+static inline struct rtable *route_reverse(struct sk_buff *skb, -+ struct tcphdr *tcph, int hook) -+{ -+ struct iphdr *iph = ip_hdr(skb); -+ struct dst_entry *odst; -+ struct flowi fl = {}; -+ struct rtable *rt; -+ -+ /* We don't require ip forwarding to be enabled to be able to -+ * send a RST reply for bridged traffic. */ -+ if (hook != NF_IP_FORWARD -+#ifdef CONFIG_BRIDGE_NETFILTER -+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED) -+#endif -+ ) { -+ fl.nl_u.ip4_u.daddr = iph->saddr; -+ if (hook == NF_IP_LOCAL_IN) -+ fl.nl_u.ip4_u.saddr = iph->daddr; -+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); -+ -+ if (ip_route_output_key(&rt, &fl) != 0) -+ return NULL; -+ } else { -+ /* non-local src, find valid iif to satisfy -+ * rp-filter when calling ip_route_input. */ -+ fl.nl_u.ip4_u.daddr = iph->daddr; -+ if (ip_route_output_key(&rt, &fl) != 0) -+ return NULL; -+ -+ odst = skb->dst; -+ if (ip_route_input(skb, iph->saddr, iph->daddr, -+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) { -+ dst_release(&rt->u.dst); -+ return NULL; -+ } -+ dst_release(&rt->u.dst); -+ rt = (struct rtable *)skb->dst; -+ skb->dst = odst; -+ -+ fl.nl_u.ip4_u.daddr = iph->saddr; -+ fl.nl_u.ip4_u.saddr = iph->daddr; -+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); -+ } -+ -+ if (rt->u.dst.error) { -+ dst_release(&rt->u.dst); -+ return NULL; -+ } -+ -+ fl.proto = IPPROTO_TCP; -+ fl.fl_ip_sport = tcph->dest; -+ fl.fl_ip_dport = tcph->source; -+ -+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0); -+ -+ return rt; -+} -+ -+static void send_reset(struct sk_buff *oldskb, int hook) -+{ -+ struct sk_buff *nskb; -+ struct iphdr *iph = ip_hdr(oldskb); -+ struct tcphdr _otcph, *oth, *tcph; -+ __be16 tmp_port; -+ __be32 tmp_addr; -+ int needs_ack; -+ unsigned int addr_type; -+ -+ /* IP header checks: fragment. */ -+ if (iph->frag_off & htons(IP_OFFSET)) -+ return; -+ -+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), -+ sizeof(_otcph), &_otcph); -+ if (oth == NULL) -+ return; -+ -+ /* No RST for RST. */ -+ if (oth->rst) -+ return; -+ -+ /* Check checksum */ -+ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) -+ return; -+ -+ /* We need a linear, writeable skb. We also need to expand -+ headroom in case hh_len of incoming interface < hh_len of -+ outgoing interface */ -+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), -+ GFP_ATOMIC); -+ if (!nskb) -+ return; -+ -+ /* This packet will not be the same as the other: clear nf fields */ -+ nf_reset(nskb); -+ nskb->nfmark = 0; -+ skb_init_secmark(nskb); -+ -+ skb_shinfo(nskb)->gso_size = 0; -+ skb_shinfo(nskb)->gso_segs = 0; -+ skb_shinfo(nskb)->gso_type = 0; -+ -+ tcph = tcp_hdr(nskb); -+ -+ /* Swap source and dest */ -+ tmp_addr = ip_hdr(nskb)->saddr; -+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr; -+ ip_hdr(nskb)->daddr = tmp_addr; -+ tmp_port = tcph->source; -+ tcph->source = tcph->dest; -+ tcph->dest = tmp_port; -+ -+ /* Truncate to length (no data) */ -+ tcph->doff = sizeof(struct tcphdr)/4; -+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); -+ ip_hdr(nskb)->tot_len = htons(nskb->len); -+ -+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) { -+ /* DELUDE essential part */ -+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + -+ oldskb->len - ip_hdrlen(oldskb) - -+ (oth->doff << 2)); -+ tcph->seq = htonl(secure_tcp_sequence_number( -+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr, -+ tcph->source, tcph->dest)); -+ tcph->ack = 1; -+ } else { -+ if(!tcph->ack) { -+ needs_ack = 1; -+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin -+ + oldskb->len - ip_hdrlen(oldskb) -+ - (oth->doff<<2)); -+ tcph->seq = 0; -+ } else { -+ needs_ack = 0; -+ tcph->seq = oth->ack_seq; -+ tcph->ack_seq = 0; -+ } -+ -+ /* Reset flags */ -+ ((u_int8_t *)tcph)[13] = 0; -+ tcph->rst = 1; -+ tcph->ack = needs_ack; -+ } -+ -+ -+ tcph->window = 0; -+ tcph->urg_ptr = 0; -+ -+ /* Adjust TCP checksum */ -+ tcph->check = 0; -+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), -+ ip_hdr(nskb)->saddr, -+ ip_hdr(nskb)->daddr, -+ csum_partial((char *)tcph, -+ sizeof(struct tcphdr), 0)); -+ -+ /* Set DF, id = 0 */ -+ ip_hdr(nskb)->frag_off = htons(IP_DF); -+ ip_hdr(nskb)->id = 0; -+ -+ addr_type = RTN_UNSPEC; -+ if (hook != NF_IP_FORWARD -+#ifdef CONFIG_BRIDGE_NETFILTER -+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED) -+#endif -+ ) -+ addr_type = RTN_LOCAL; -+ -+ if (ip_route_me_harder(nskb, addr_type)) -+ goto free_nskb; -+ -+ nskb->ip_summed = CHECKSUM_NONE; -+ -+ /* Adjust IP TTL */ -+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); -+ -+ /* Adjust IP checksum */ -+ ip_hdr(nskb)->check = 0; -+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb), -+ ip_hdr(nskb)->ihl); -+ -+ /* "Never happens" */ -+ if (nskb->len > dst_mtu(nskb->dst)) -+ goto free_nskb; -+ -+ nf_ct_attach(nskb, oldskb); -+ -+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev, -+ dst_output); -+ return; -+ -+ free_nskb: -+ kfree_skb(nskb); -+} -+ -+static unsigned int xt_delude_target(struct sk_buff *skb, -+ const struct net_device *in, const struct net_device *out, -+ unsigned int hooknum, const struct xt_target *target, const void *targinfo -+#ifdef HAVE_TARGUSERINFO -+ , -+ void *userinfo -+#endif -+ ) -+{ -+ /* WARNING: This code causes reentry within iptables. -+ This means that the iptables jump stack is now crap. We -+ must return an absolute verdict. --RR */ -+ send_reset(skb, hooknum); -+ return NF_DROP; -+} -+ -+static bool xt_delude_check(const char *tablename, const void *e_void, -+ const struct xt_target *target, void *targinfo, -+#ifdef HAVE_TARGINFOSIZE -+ unsigned int targinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) { -+ printk(KERN_WARNING PFX "DELUDE may not be used in chains " -+ "other than INPUT and FORWARD\n"); -+ return false; -+ } -+ return true; -+} -+ -+static struct xt_target xt_delude_info = { -+ .name = "DELUDE", -+ .target = xt_delude_target, -+ .checkentry = xt_delude_check, -+ .table = "filter", -+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | -+ (1 << NF_IP_LOCAL_OUT), -+ .proto = IPPROTO_TCP, -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_delude_init(void) -+{ -+ return xt_register_target(&xt_delude_info); -+} -+ -+static void __exit xt_delude_exit(void) -+{ -+ xt_unregister_target(&xt_delude_info); -+} -+ -+module_init(xt_delude_init); -+module_exit(xt_delude_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter DELUDE target"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_DELUDE"); -Index: linux-2.6.23/net/netfilter/xt_portscan.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.23/net/netfilter/xt_portscan.c 2007-10-10 13:52:59.000000000 +0800 -@@ -0,0 +1,272 @@ -+/* -+ portscan match for netfilter -+ -+ Written by Jan Engelhardt, 2006 - 2007 -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+enum { -+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, -+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK, -+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG, -+}; -+ -+/* Module parameters */ -+static unsigned int -+ connmark_mask = ~0, -+ packet_mask = ~0, -+ mark_seen = 0x9, -+ mark_synrcv = 0x1, -+ mark_closed = 0x2, -+ mark_synscan = 0x3, -+ mark_estab1 = 0x4, -+ mark_estab2 = 0x5, -+ mark_cnscan = 0x6, -+ mark_grscan = 0x7, -+ mark_valid = 0x8; -+ -+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR); -+module_param(packet_mask, uint, S_IRUGO | S_IWUSR); -+module_param(mark_seen, uint, S_IRUGO | S_IWUSR); -+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR); -+module_param(mark_closed, uint, S_IRUGO | S_IWUSR); -+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR); -+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR); -+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_valid, uint, S_IRUGO | S_IWUSR); -+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark"); -+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark"); -+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state"); -+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state"); -+MODULE_PARM_DESC(mark_closed, "connmark value for closed state"); -+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state"); -+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state"); -+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state"); -+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state"); -+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state"); -+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state"); -+ -+/* TCP flag functions */ -+static inline int tflg_ack4(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK; -+} -+ -+static inline int tflg_ack6(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK; -+} -+ -+static inline int tflg_fin(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN; -+} -+ -+static inline int tflg_rst(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST; -+} -+ -+static inline int tflg_rstack(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == -+ (TCP_FLAG_ACK | TCP_FLAG_RST); -+} -+ -+static inline int tflg_syn(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN; -+} -+ -+static inline int tflg_synack(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == -+ (TCP_FLAG_SYN | TCP_FLAG_ACK); -+} -+ -+/* portscan functions */ -+static inline int xt_portscan_stealth(const struct tcphdr *th) -+{ -+ /* -+ * "Connection refused" replies to our own probes must not be matched. -+ */ -+ if(tflg_rstack(th)) -+ return 0; -+ -+ if(tflg_rst(th) && printk_ratelimit()) { -+ printk(KERN_WARNING PFX "Warning: Pure RST received\n"); -+ return 0; -+ } -+ -+ /* -+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start -+ * packets that are not associated with any connection -- this will -+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag -+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.). -+ */ -+ return !tflg_syn(th); -+} -+ -+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate, -+ int loopback, const struct tcphdr *tcph, int payload_len) -+{ -+ if(mark == mark_estab2) { -+ /* -+ * -m connmark --mark $ESTAB2 -+ */ -+ if(tflg_ack4(tcph) && payload_len == 0) -+ return mark; /* keep mark */ -+ else if(tflg_rst(tcph) || tflg_fin(tcph)) -+ return mark_grscan; -+ else -+ return mark_valid; -+ } else if(mark == mark_estab1) { -+ /* -+ * -m connmark --mark $ESTAB1 -+ */ -+ if(tflg_rst(tcph) || tflg_fin(tcph)) -+ return mark_cnscan; -+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0) -+ return mark_estab2; -+ else -+ return mark_valid; -+ } else if(mark == mark_synrcv) { -+ /* -+ * -m connmark --mark $SYN -+ */ -+ if(loopback && tflg_synack(tcph)) -+ return mark; /* keep mark */ -+ else if(loopback && tflg_rstack(tcph)) -+ return mark_closed; -+ else if(tflg_ack6(tcph)) -+ return mark_estab1; -+ else -+ return mark_synscan; -+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) { -+ /* -+ * -p tcp --syn --ctstate NEW -+ */ -+ return mark_synrcv; -+ } -+ return mark; -+} -+ -+static bool xt_portscan_match(const struct sk_buff *skb, -+ const struct net_device *in, const struct net_device *out, -+ const struct xt_match *match, const void *matchinfo, int offset, -+ unsigned int protoff, bool *hotdrop) -+{ -+ const struct xt_portscan_info *info = matchinfo; -+ enum ip_conntrack_info ctstate; -+ struct nf_conn *ctdata; -+ const struct tcphdr *tcph; -+ struct tcphdr tcph_buf; -+ -+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); -+ if(tcph == NULL) -+ return false; -+ -+ /* Check for invalid packets: -m conntrack --ctstate INVALID */ -+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { -+ if(info->match_stealth) -+ return xt_portscan_stealth(tcph); -+ /* -+ * If @ctdata is NULL, we cannot match the other scan -+ * types, return. -+ */ -+ return false; -+ } -+ -+ /* -+ * If -m portscan was previously applied to this packet, the rules we -+ * simulate must not be run through again. And for speedup, do not call -+ * it either when the connection is already VALID. -+ */ -+ if((ctdata->mark & connmark_mask) == mark_valid || -+ (skb->nfmark & packet_mask) != mark_seen) -+ { -+ unsigned int n; -+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate, -+ (in->flags && IFF_LOOPBACK) == IFF_LOOPBACK, tcph, -+ skb->len - protoff - 4 * tcph->doff); -+ -+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; -+ ((struct sk_buff *)skb)->nfmark = -+ (skb->nfmark & ~packet_mask) | mark_seen; -+ } -+ -+ return (info->match_syn && ctdata->mark == mark_synscan) || -+ (info->match_cn && ctdata->mark == mark_cnscan) || -+ (info->match_gr && ctdata->mark == mark_grscan); -+} -+ -+static bool xt_portscan_checkentry(const char *tablename, const void *entry, -+ const struct xt_match *match, void *matchinfo, -+#ifdef HAVE_MATCHINFOSIZE -+ unsigned int matchinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ const struct xt_portscan_info *info = matchinfo; -+#ifdef HAVE_MATCHINFOSIZE -+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) { -+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n", -+ matchinfosize, -+ XT_ALIGN(sizeof(struct xt_portscan_info))); -+ return false; -+ } -+#endif -+ if((info->match_stealth & ~1) || (info->match_syn & ~1) || -+ (info->match_cn & ~1) || (info->match_gr & ~1)) { -+ printk(KERN_WARNING PFX "Invalid flags\n"); -+ return false; -+ } -+ return true; -+} -+ -+static struct xt_match xt_portscan = { -+ .name = "portscan", -+ .match = xt_portscan_match, -+ .checkentry = xt_portscan_checkentry, -+ .matchsize = sizeof(struct xt_portscan_info), -+ .proto = IPPROTO_TCP, -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_portscan_init(void) -+{ -+ return xt_register_match(&xt_portscan); -+} -+ -+static void __exit xt_portscan_exit(void) -+{ -+ xt_unregister_match(&xt_portscan); -+ return; -+} -+ -+module_init(xt_portscan_init); -+module_exit(xt_portscan_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter portscan match module"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_portscan"); -Index: linux-2.6.23/drivers/char/random.c -=================================================================== ---- linux-2.6.23.orig/drivers/char/random.c 2007-10-10 04:31:38.000000000 +0800 -+++ linux-2.6.23/drivers/char/random.c 2007-10-10 13:52:59.000000000 +0800 -@@ -1564,6 +1564,8 @@ - return seq; - } - -+EXPORT_SYMBOL(secure_tcp_sequence_number); -+ - /* Generate secure starting point for ephemeral IPV4 transport port search */ - u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) - { diff --git a/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables_0.8.patch b/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables_0.8.patch new file mode 100644 index 0000000000..38b50004eb --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables_0.8.patch @@ -0,0 +1,866 @@ +Index: linux-2.6.24/include/linux/netfilter/oot_conntrack.h +=================================================================== +--- /dev/null ++++ linux-2.6.24/include/linux/netfilter/oot_conntrack.h +@@ -0,0 +1,5 @@ ++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) ++# include ++#else /* linux-2.6.20+ */ ++# include ++#endif +Index: linux-2.6.24/include/linux/netfilter/oot_trans.h +=================================================================== +--- /dev/null ++++ linux-2.6.24/include/linux/netfilter/oot_trans.h +@@ -0,0 +1,14 @@ ++/* Out of tree workarounds */ ++#include ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) ++# define HAVE_MATCHINFOSIZE 1 ++# define HAVE_TARGUSERINFO 1 ++# define HAVE_TARGINFOSIZE 1 ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) ++# define nfmark mark ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) ++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ ++ tcp_v4_check((tcph_sz), (s), (d), (csp)) ++#endif +Index: linux-2.6.24/include/linux/netfilter/xt_CHAOS.h +=================================================================== +--- /dev/null ++++ linux-2.6.24/include/linux/netfilter/xt_CHAOS.h +@@ -0,0 +1,14 @@ ++#ifndef _LINUX_NETFILTER_XT_CHAOS_H ++#define _LINUX_NETFILTER_XT_CHAOS_H 1 ++ ++enum xt_chaos_target_variant { ++ XTCHAOS_NORMAL, ++ XTCHAOS_TARPIT, ++ XTCHAOS_DELUDE, ++}; ++ ++struct xt_chaos_target_info { ++ uint8_t variant; ++}; ++ ++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */ +Index: linux-2.6.24/include/linux/netfilter/xt_portscan.h +=================================================================== +--- /dev/null ++++ linux-2.6.24/include/linux/netfilter/xt_portscan.h +@@ -0,0 +1,8 @@ ++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H ++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1 ++ ++struct xt_portscan_match_info { ++ uint8_t match_stealth, match_syn, match_cn, match_gr; ++}; ++ ++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */ +Index: linux-2.6.24/net/netfilter/find_match.c +=================================================================== +--- /dev/null ++++ linux-2.6.24/net/netfilter/find_match.c +@@ -0,0 +1,39 @@ ++/* ++ xt_request_find_match ++ by Jan Engelhardt , 2006 - 2007 ++ ++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c: ++ Copyright (C) 2006-2006 Harald Welte ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++*/ ++#include ++#include ++#include ++#include ++ ++/* ++ * Yeah this code is sub-optimal, but the function is missing in ++ * mainline so far. -jengelh ++ */ ++static struct xt_match *xt_request_find_match_lo(int af, const char *name, ++ u8 revision) ++{ ++ static const char *const xt_prefix[] = { ++ [AF_INET] = "ip", ++ [AF_INET6] = "ip6", ++ [NF_ARP] = "arp", ++ }; ++ struct xt_match *match; ++ ++ match = try_then_request_module(xt_find_match(af, name, revision), ++ "%st_%s", xt_prefix[af], name); ++ if (IS_ERR(match) || match == NULL) ++ return NULL; ++ ++ return match; ++} ++ ++/* In case it goes into mainline, let this out-of-tree package compile */ ++#define xt_request_find_match xt_request_find_match_lo +Index: linux-2.6.24/net/netfilter/Kconfig +=================================================================== +--- linux-2.6.24.orig/net/netfilter/Kconfig ++++ linux-2.6.24/net/netfilter/Kconfig +@@ -265,6 +265,14 @@ config NETFILTER_XTABLES + + # alphabetically ordered list of targets + ++config NETFILTER_XT_TARGET_CHAOS ++ tristate '"CHAOS" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `CHAOS' target. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_TARGET_CLASSIFY + tristate '"CLASSIFY" target support' + depends on NETFILTER_XTABLES +@@ -292,6 +300,14 @@ config NETFILTER_XT_TARGET_CONNMARK + . The module will be called + ipt_CONNMARK.ko. If unsure, say `N'. + ++config NETFILTER_XT_TARGET_DELUDE ++ tristate '"DELUDE" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `DELUDE' target. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_TARGET_DSCP + tristate '"DSCP" target support' + depends on NETFILTER_XTABLES +@@ -556,6 +572,14 @@ config NETFILTER_XT_MATCH_POLICY + + To compile it as a module, choose M here. If unsure, say N. + ++config NETFILTER_XT_MATCH_PORTSCAN ++ tristate '"portscan" match support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a 'portscan' match support. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_MATCH_MULTIPORT + tristate "Multiple port match support" + depends on NETFILTER_XTABLES +Index: linux-2.6.24/net/netfilter/Makefile +=================================================================== +--- linux-2.6.24.orig/net/netfilter/Makefile ++++ linux-2.6.24/net/netfilter/Makefile +@@ -49,6 +49,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK + obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o + obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o + obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o + + # matches + obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o +@@ -79,3 +81,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) + obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o + obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o + obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o ++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o +Index: linux-2.6.24/net/netfilter/xt_CHAOS.c +=================================================================== +--- /dev/null ++++ linux-2.6.24/net/netfilter/xt_CHAOS.c +@@ -0,0 +1,200 @@ ++/* ++ * CHAOS target for netfilter ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#if defined(_LOCAL) ++# include "xt_CHAOS.h" ++# include "find_match.c" ++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \ ++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE) ++# include ++# include "find_match.c" ++#else ++# include "xt_CHAOS.h" ++# include "find_match.c" ++#endif ++#define PFX KBUILD_MODNAME ": " ++ ++/* Module parameters */ ++static unsigned int reject_percentage = ~0U * .01; ++static unsigned int delude_percentage = ~0U * .0101; ++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR); ++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR); ++ ++/* References to other matches/targets */ ++static struct xt_match *xm_tcp; ++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; ++ ++static int have_delude, have_tarpit; ++ ++/* Static data for other matches/targets */ ++static const struct ipt_reject_info reject_params = { ++ .with = ICMP_HOST_UNREACH, ++}; ++ ++static const struct xt_tcp tcp_params = { ++ .spts = {0, ~0}, ++ .dpts = {0, ~0}, ++}; ++ ++/* CHAOS functions */ ++static void xt_chaos_total(const struct xt_chaos_target_info *info, ++ struct sk_buff *skb, const struct net_device *in, ++ const struct net_device *out, unsigned int hooknum) ++{ ++ const struct iphdr *iph = ip_hdr(skb); ++ const int protoff = 4 * iph->ihl; ++ const int offset = ntohs(iph->frag_off) & IP_OFFSET; ++ const struct xt_target *destiny; ++ bool hotdrop = false, ret; ++ ++ ret = xm_tcp->match(skb, in, out, xm_tcp, &tcp_params, ++ offset, protoff, &hotdrop); ++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage) ++ return; ++ ++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; ++ destiny->target(skb, in, out, hooknum, destiny, NULL); ++ return; ++} ++ ++static unsigned int chaos_tg(struct sk_buff *skb, ++ const struct net_device *in, const struct net_device *out, ++ unsigned int hooknum, const struct xt_target *target, const void *targinfo) ++{ ++ /* ++ * Equivalent to: ++ * -A chaos -m statistic --mode random --probability \ ++ * $reject_percentage -j REJECT --reject-with host-unreach; ++ * -A chaos -p tcp -m statistic --mode random --probability \ ++ * $delude_percentage -j DELUDE; ++ * -A chaos -j DROP; ++ */ ++ const struct xt_chaos_target_info *info = targinfo; ++ const struct iphdr *iph = ip_hdr(skb); ++ ++ if ((unsigned int)net_random() <= reject_percentage) ++ return xt_reject->target(skb, in, out, hooknum, target, ++ &reject_params); ++ ++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ ++ if (iph->protocol == IPPROTO_TCP && ++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) ++ xt_chaos_total(info, skb, in, out, hooknum); ++ ++ return NF_DROP; ++} ++ ++static bool chaos_tg_check(const char *tablename, const void *entry, ++ const struct xt_target *target, void *targinfo, unsigned int hook_mask) ++{ ++ const struct xt_chaos_target_info *info = targinfo; ++ ++ if (info->variant == XTCHAOS_DELUDE && !have_delude) { ++ printk(KERN_WARNING PFX "Error: Cannot use --delude when " ++ "DELUDE module not available\n"); ++ return false; ++ } ++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) { ++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " ++ "TARPIT module not available\n"); ++ return false; ++ } ++ ++ return true; ++} ++ ++static struct xt_target chaos_tg_reg = { ++ .name = "CHAOS", ++ .family = AF_INET, ++ .table = "filter", ++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | ++ (1 << NF_IP_LOCAL_OUT), ++ .checkentry = chaos_tg_check, ++ .target = chaos_tg, ++ .targetsize = sizeof(struct xt_chaos_target_info), ++ .me = THIS_MODULE, ++}; ++ ++static int __init chaos_tg_init(void) ++{ ++ int ret = -EINVAL; ++ ++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); ++ if (xm_tcp == NULL) { ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"tcp\" match\n"); ++ return -EINVAL; ++ } ++ ++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); ++ if (xt_reject == NULL) { ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"REJECT\" target\n"); ++ goto out2; ++ } ++ ++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); ++ have_tarpit = xt_tarpit != NULL; ++ if (!have_tarpit) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"TARPIT\" target\n"); ++ ++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); ++ have_delude = xt_delude != NULL; ++ if (!have_delude) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"DELUDE\" target\n"); ++ ++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) { ++ printk(KERN_WARNING PFX "xt_register_target returned " ++ "error %d\n", ret); ++ goto out3; ++ } ++ ++ return 0; ++ ++ out3: ++ if (have_delude) ++ module_put(xt_delude->me); ++ if (have_tarpit) ++ module_put(xt_tarpit->me); ++ module_put(xt_reject->me); ++ out2: ++ module_put(xm_tcp->me); ++ return ret; ++} ++ ++static void __exit chaos_tg_exit(void) ++{ ++ xt_unregister_target(&chaos_tg_reg); ++ module_put(xm_tcp->me); ++ module_put(xt_reject->me); ++ if (have_delude) ++ module_put(xt_delude->me); ++ if (have_tarpit) ++ module_put(xt_tarpit->me); ++ return; ++} ++ ++module_init(chaos_tg_init); ++module_exit(chaos_tg_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"CHAOS\" target"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_CHAOS"); +Index: linux-2.6.24/net/netfilter/xt_DELUDE.c +=================================================================== +--- /dev/null ++++ linux-2.6.24/net/netfilter/xt_DELUDE.c +@@ -0,0 +1,197 @@ ++/* ++ * DELUDE target ++ * Copyright © CC Computer Consultants GmbH, 2007 ++ * Contact: Jan Engelhardt ++ * ++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: ++ * (C) 1999-2001 Paul `Rusty' Russell ++ * (C) 2002-2004 Netfilter Core Team ++ * ++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#ifdef CONFIG_BRIDGE_NETFILTER ++# include ++#endif ++#include ++#define PFX KBUILD_MODNAME ": " ++ ++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook) ++{ ++ struct tcphdr _otcph, *oth, *tcph; ++ unsigned int addr_type; ++ struct sk_buff *nskb; ++ u_int16_t tmp_port; ++ u_int32_t tmp_addr; ++ struct iphdr *niph; ++ bool needs_ack; ++ ++ /* IP header checks: fragment. */ ++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) ++ return; ++ ++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), ++ sizeof(_otcph), &_otcph); ++ if (oth == NULL) ++ return; ++ ++ /* No RST for RST. */ ++ if (oth->rst) ++ return; ++ ++ /* Check checksum */ ++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) ++ return; ++ ++ /* We need a linear, writeable skb. We also need to expand ++ headroom in case hh_len of incoming interface < hh_len of ++ outgoing interface */ ++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), ++ GFP_ATOMIC); ++ if (!nskb) ++ return; ++ ++ /* This packet will not be the same as the other: clear nf fields */ ++ nf_reset(nskb); ++ nskb->mark = 0; ++ skb_init_secmark(nskb); ++ ++ skb_shinfo(nskb)->gso_size = 0; ++ skb_shinfo(nskb)->gso_segs = 0; ++ skb_shinfo(nskb)->gso_type = 0; ++ ++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb)); ++ ++ /* Swap source and dest */ ++ niph = ip_hdr(nskb); ++ tmp_addr = niph->saddr; ++ niph->saddr = niph->daddr; ++ niph->daddr = tmp_addr; ++ tmp_port = tcph->source; ++ tcph->source = tcph->dest; ++ tcph->dest = tmp_port; ++ ++ /* Truncate to length (no data) */ ++ tcph->doff = sizeof(struct tcphdr) / 4; ++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); ++ niph->tot_len = htons(nskb->len); ++ ++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) { ++ /* DELUDE essential part */ ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + ++ oldskb->len - ip_hdrlen(oldskb) - ++ (oth->doff << 2)); ++ tcph->seq = false; ++ tcph->ack = true; ++ } else { ++ if (!tcph->ack) { ++ needs_ack = true; ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + ++ oth->fin + oldskb->len - ++ ip_hdrlen(oldskb) - (oth->doff<<2)); ++ tcph->seq = false; ++ } else { ++ needs_ack = false; ++ tcph->seq = oth->ack_seq; ++ tcph->ack_seq = false; ++ } ++ ++ /* Reset flags */ ++ ((u_int8_t *)tcph)[13] = 0; ++ tcph->rst = true; ++ tcph->ack = needs_ack; ++ } ++ ++ tcph->window = 0; ++ tcph->urg_ptr = 0; ++ ++ /* Adjust TCP checksum */ ++ tcph->check = 0; ++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr, ++ niph->daddr, csum_partial((char *)tcph, ++ sizeof(struct tcphdr), 0)); ++ ++ /* Set DF, id = 0 */ ++ niph->frag_off = htons(IP_DF); ++ niph->id = 0; ++ ++ addr_type = RTN_UNSPEC; ++#ifdef CONFIG_BRIDGE_NETFILTER ++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL && ++ nskb->nf_bridge->mask & BRNF_BRIDGED)) ++#else ++ if (hook != NF_IP_FORWARD) ++#endif ++ addr_type = RTN_LOCAL; ++ ++ if (ip_route_me_harder(nskb, addr_type)) ++ goto free_nskb; ++ ++ nskb->ip_summed = CHECKSUM_NONE; ++ ++ /* Adjust IP TTL */ ++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); ++ ++ /* Adjust IP checksum */ ++ niph->check = 0; ++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl); ++ ++ /* "Never happens" */ ++ if (nskb->len > dst_mtu(nskb->dst)) ++ goto free_nskb; ++ ++ nf_ct_attach(nskb, oldskb); ++ ++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev, ++ dst_output); ++ return; ++ ++ free_nskb: ++ kfree_skb(nskb); ++} ++ ++static unsigned int delude_tg(struct sk_buff *skb, ++ const struct net_device *in, const struct net_device *out, ++ unsigned int hooknum, const struct xt_target *target, const void *targinfo) ++{ ++ /* WARNING: This code causes reentry within iptables. ++ This means that the iptables jump stack is now crap. We ++ must return an absolute verdict. --RR */ ++ delude_send_reset(skb, hooknum); ++ return NF_DROP; ++} ++ ++static struct xt_target delude_tg_reg = { ++ .name = "DELUDE", ++ .family = AF_INET, ++ .table = "filter", ++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD), ++ .target = delude_tg, ++ .proto = IPPROTO_TCP, ++ .me = THIS_MODULE, ++}; ++ ++static int __init delude_tg_init(void) ++{ ++ return xt_register_target(&delude_tg_reg); ++} ++ ++static void __exit delude_tg_exit(void) ++{ ++ xt_unregister_target(&delude_tg_reg); ++} ++ ++module_init(delude_tg_init); ++module_exit(delude_tg_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"DELUDE\" target"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_DELUDE"); +Index: linux-2.6.24/net/netfilter/xt_portscan.c +=================================================================== +--- /dev/null ++++ linux-2.6.24/net/netfilter/xt_portscan.c +@@ -0,0 +1,269 @@ ++/* ++ * portscan match for netfilter ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#if defined(_LOCAL) ++# include "xt_portscan.h" ++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \ ++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE) ++# include ++#else ++# include "xt_portscan.h" ++#endif ++#define PFX KBUILD_MODNAME ": " ++ ++enum { ++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, ++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK, ++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG, ++}; ++ ++/* Module parameters */ ++static unsigned int ++ connmark_mask = ~0, ++ packet_mask = ~0, ++ mark_seen = 0x9, ++ mark_synrcv = 0x1, ++ mark_closed = 0x2, ++ mark_synscan = 0x3, ++ mark_estab1 = 0x4, ++ mark_estab2 = 0x5, ++ mark_cnscan = 0x6, ++ mark_grscan = 0x7, ++ mark_valid = 0x8; ++ ++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR); ++module_param(packet_mask, uint, S_IRUGO | S_IWUSR); ++module_param(mark_seen, uint, S_IRUGO | S_IWUSR); ++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR); ++module_param(mark_closed, uint, S_IRUGO | S_IWUSR); ++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR); ++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR); ++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_valid, uint, S_IRUGO | S_IWUSR); ++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark"); ++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark"); ++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state"); ++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state"); ++MODULE_PARM_DESC(mark_closed, "connmark value for closed state"); ++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state"); ++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state"); ++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state"); ++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state"); ++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state"); ++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state"); ++ ++/* TCP flag functions */ ++static inline bool tflg_ack4(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK; ++} ++ ++static inline bool tflg_ack6(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK; ++} ++ ++static inline bool tflg_fin(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN; ++} ++ ++static inline bool tflg_rst(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST; ++} ++ ++static inline bool tflg_rstack(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == ++ (TCP_FLAG_ACK | TCP_FLAG_RST); ++} ++ ++static inline bool tflg_syn(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN; ++} ++ ++static inline bool tflg_synack(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == ++ (TCP_FLAG_SYN | TCP_FLAG_ACK); ++} ++ ++/* portscan functions */ ++static inline bool portscan_mt_stealth(const struct tcphdr *th) ++{ ++ /* ++ * "Connection refused" replies to our own probes must not be matched. ++ */ ++ if (tflg_rstack(th)) ++ return false; ++ ++ if (tflg_rst(th) && printk_ratelimit()) { ++ printk(KERN_WARNING PFX "Warning: Pure RST received\n"); ++ return false; ++ } ++ ++ /* ++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start ++ * packets that are not associated with any connection -- this will ++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag ++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.). ++ */ ++ return !tflg_syn(th); ++} ++ ++static inline unsigned int portscan_mt_full(int mark, ++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph, ++ unsigned int payload_len) ++{ ++ if (mark == mark_estab2) { ++ /* ++ * -m connmark --mark $ESTAB2 ++ */ ++ if (tflg_ack4(tcph) && payload_len == 0) ++ return mark; /* keep mark */ ++ else if (tflg_rst(tcph) || tflg_fin(tcph)) ++ return mark_grscan; ++ else ++ return mark_valid; ++ } else if (mark == mark_estab1) { ++ /* ++ * -m connmark --mark $ESTAB1 ++ */ ++ if (tflg_rst(tcph) || tflg_fin(tcph)) ++ return mark_cnscan; ++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0) ++ return mark_estab2; ++ else ++ return mark_valid; ++ } else if (mark == mark_synrcv) { ++ /* ++ * -m connmark --mark $SYN ++ */ ++ if (loopback && tflg_synack(tcph)) ++ return mark; /* keep mark */ ++ else if (loopback && tflg_rstack(tcph)) ++ return mark_closed; ++ else if (tflg_ack6(tcph)) ++ return mark_estab1; ++ else ++ return mark_synscan; ++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) { ++ /* ++ * -p tcp --syn --ctstate NEW ++ */ ++ return mark_synrcv; ++ } ++ return mark; ++} ++ ++static bool portscan_mt(const struct sk_buff *skb, ++ const struct net_device *in, const struct net_device *out, ++ const struct xt_match *match, const void *matchinfo, int offset, ++ unsigned int protoff, bool *hotdrop) ++{ ++ const struct xt_portscan_match_info *info = matchinfo; ++ enum ip_conntrack_info ctstate; ++ const struct tcphdr *tcph; ++ struct nf_conn *ctdata; ++ struct tcphdr tcph_buf; ++ ++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); ++ if (tcph == NULL) ++ return false; ++ ++ /* Check for invalid packets: -m conntrack --ctstate INVALID */ ++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { ++ if (info->match_stealth) ++ return portscan_mt_stealth(tcph); ++ /* ++ * If @ctdata is NULL, we cannot match the other scan ++ * types, return. ++ */ ++ return false; ++ } ++ ++ /* ++ * If -m portscan was previously applied to this packet, the rules we ++ * simulate must not be run through again. And for speedup, do not call ++ * it either when the connection is already VALID. ++ */ ++ if ((ctdata->mark & connmark_mask) == mark_valid || ++ (skb->mark & packet_mask) != mark_seen) { ++ unsigned int n; ++ ++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate, ++ (in->flags & IFF_LOOPBACK) == IFF_LOOPBACK, tcph, ++ skb->len - protoff - 4 * tcph->doff); ++ ++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; ++ ((struct sk_buff *)skb)->mark = ++ (skb->mark & ~packet_mask) ^ mark_seen; ++ } ++ ++ return (info->match_syn && ctdata->mark == mark_synscan) || ++ (info->match_cn && ctdata->mark == mark_cnscan) || ++ (info->match_gr && ctdata->mark == mark_grscan); ++} ++ ++static bool portscan_mt_check(const char *tablename, const void *entry, ++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask) ++{ ++ const struct xt_portscan_match_info *info = matchinfo; ++ ++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) || ++ (info->match_cn & ~1) || (info->match_gr & ~1)) { ++ printk(KERN_WARNING PFX "Invalid flags\n"); ++ return false; ++ } ++ return true; ++} ++ ++static struct xt_match portscan_mt_reg __read_mostly = { ++ .name = "portscan", ++ .family = AF_INET, ++ .match = portscan_mt, ++ .checkentry = portscan_mt_check, ++ .matchsize = sizeof(struct xt_portscan_match_info), ++ .proto = IPPROTO_TCP, ++ .me = THIS_MODULE, ++}; ++ ++static int __init portscan_mt_init(void) ++{ ++ return xt_register_match(&portscan_mt_reg); ++} ++ ++static void __exit portscan_mt_exit(void) ++{ ++ xt_unregister_match(&portscan_mt_reg); ++ return; ++} ++ ++module_init(portscan_mt_init); ++module_exit(portscan_mt_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"portscan\" match"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_portscan"); +Index: linux-2.6.24/drivers/char/random.c +=================================================================== +--- linux-2.6.24.orig/drivers/char/random.c ++++ linux-2.6.24/drivers/char/random.c +@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32 + return seq; + } + ++EXPORT_SYMBOL(secure_tcp_sequence_number); ++ + /* Generate secure starting point for ephemeral IPV4 transport port search */ + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) + { diff --git a/target/linux/generic-2.6/patches/100-netfilter_layer7_2.17.patch b/target/linux/generic-2.6/patches/100-netfilter_layer7_2.17.patch new file mode 100644 index 0000000000..52908b3076 --- /dev/null +++ b/target/linux/generic-2.6/patches/100-netfilter_layer7_2.17.patch @@ -0,0 +1,2123 @@ +Index: linux-2.6.21.7/net/netfilter/Kconfig +=================================================================== +--- linux-2.6.21.7.orig/net/netfilter/Kconfig ++++ linux-2.6.21.7/net/netfilter/Kconfig +@@ -640,6 +640,27 @@ config NETFILTER_XT_MATCH_STATE + + To compile it as a module, choose M here. If unsure, say N. + ++config NETFILTER_XT_MATCH_LAYER7 ++ tristate '"layer7" match support' ++ depends on NETFILTER_XTABLES ++ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK) ++ depends on NF_CT_ACCT ++ help ++ Say Y if you want to be able to classify connections (and their ++ packets) based on regular expression matching of their application ++ layer data. This is one way to classify applications such as ++ peer-to-peer filesharing systems that do not always use the same ++ port. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ ++config NETFILTER_XT_MATCH_LAYER7_DEBUG ++ bool 'Layer 7 debugging output' ++ depends on NETFILTER_XT_MATCH_LAYER7 ++ help ++ Say Y to get lots of debugging output. ++ ++ + config NETFILTER_XT_MATCH_STATISTIC + tristate '"statistic" match support' + depends on NETFILTER_XTABLES +Index: linux-2.6.21.7/net/netfilter/Makefile +=================================================================== +--- linux-2.6.21.7.orig/net/netfilter/Makefile ++++ linux-2.6.21.7/net/netfilter/Makefile +@@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) + + obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o + obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o + obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o ++obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o + obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o + obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o + obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o +Index: linux-2.6.21.7/net/netfilter/xt_layer7.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/xt_layer7.c +@@ -0,0 +1,634 @@ ++/* ++ Kernel module to match application layer (OSI layer 7) data in connections. ++ ++ http://l7-filter.sf.net ++ ++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer. ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++ ++ Based on ipt_string.c (C) 2000 Emmanuel Roger , ++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait, ++ Ethan Sommer, Justin Levandoski. ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "regexp/regexp.c" ++ ++MODULE_LICENSE("GPL"); ++MODULE_AUTHOR("Matthew Strait , Ethan Sommer "); ++MODULE_DESCRIPTION("iptables application layer match module"); ++MODULE_ALIAS("ipt_layer7"); ++MODULE_VERSION("2.17"); ++ ++static int maxdatalen = 2048; // this is the default ++module_param(maxdatalen, int, 0444); ++MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter"); ++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG ++ #define DPRINTK(format,args...) printk(format,##args) ++#else ++ #define DPRINTK(format,args...) ++#endif ++ ++#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \ ++ master_conntrack->counters[IP_CT_DIR_REPLY].packets ++ ++/* Number of packets whose data we look at. ++This can be modified through /proc/net/layer7_numpackets */ ++static int num_packets = 10; ++ ++static struct pattern_cache { ++ char * regex_string; ++ regexp * pattern; ++ struct pattern_cache * next; ++} * first_pattern_cache = NULL; ++ ++DEFINE_SPINLOCK(l7_lock); ++ ++#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG ++/* Converts an unfriendly string into a friendly one by ++replacing unprintables with periods and all whitespace with " ". */ ++static char * friendly_print(unsigned char * s) ++{ ++ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC); ++ int i; ++ ++ if(!f) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "friendly_print, bailing.\n"); ++ return NULL; ++ } ++ ++ for(i = 0; i < strlen(s); i++){ ++ if(isprint(s[i]) && s[i] < 128) f[i] = s[i]; ++ else if(isspace(s[i])) f[i] = ' '; ++ else f[i] = '.'; ++ } ++ f[i] = '\0'; ++ return f; ++} ++ ++static char dec2hex(int i) ++{ ++ switch (i) { ++ case 0 ... 9: ++ return (i + '0'); ++ break; ++ case 10 ... 15: ++ return (i - 10 + 'a'); ++ break; ++ default: ++ if (net_ratelimit()) ++ printk("layer7: Problem in dec2hex\n"); ++ return '\0'; ++ } ++} ++ ++static char * hex_print(unsigned char * s) ++{ ++ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC); ++ int i; ++ ++ if(!g) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in hex_print, " ++ "bailing.\n"); ++ return NULL; ++ } ++ ++ for(i = 0; i < strlen(s); i++) { ++ g[i*3 ] = dec2hex(s[i]/16); ++ g[i*3 + 1] = dec2hex(s[i]%16); ++ g[i*3 + 2] = ' '; ++ } ++ g[i*3] = '\0'; ++ ++ return g; ++} ++#endif // DEBUG ++ ++/* Use instead of regcomp. As we expect to be seeing the same regexps over and ++over again, it make sense to cache the results. */ ++static regexp * compile_and_cache(const char * regex_string, ++ const char * protocol) ++{ ++ struct pattern_cache * node = first_pattern_cache; ++ struct pattern_cache * last_pattern_cache = first_pattern_cache; ++ struct pattern_cache * tmp; ++ unsigned int len; ++ ++ while (node != NULL) { ++ if (!strcmp(node->regex_string, regex_string)) ++ return node->pattern; ++ ++ last_pattern_cache = node;/* points at the last non-NULL node */ ++ node = node->next; ++ } ++ ++ /* If we reach the end of the list, then we have not yet cached ++ the pattern for this regex. Let's do that now. ++ Be paranoid about running out of memory to avoid list corruption. */ ++ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC); ++ ++ if(!tmp) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "compile_and_cache, bailing.\n"); ++ return NULL; ++ } ++ ++ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC); ++ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC); ++ tmp->next = NULL; ++ ++ if(!tmp->regex_string || !tmp->pattern) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "compile_and_cache, bailing.\n"); ++ kfree(tmp->regex_string); ++ kfree(tmp->pattern); ++ kfree(tmp); ++ return NULL; ++ } ++ ++ /* Ok. The new node is all ready now. */ ++ node = tmp; ++ ++ if(first_pattern_cache == NULL) /* list is empty */ ++ first_pattern_cache = node; /* make node the beginning */ ++ else ++ last_pattern_cache->next = node; /* attach node to the end */ ++ ++ /* copy the string and compile the regex */ ++ len = strlen(regex_string); ++ DPRINTK("About to compile this: \"%s\"\n", regex_string); ++ node->pattern = regcomp((char *)regex_string, &len); ++ if ( !node->pattern ) { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: Error compiling regexp " ++ "\"%s\" (%s)\n", ++ regex_string, protocol); ++ /* pattern is now cached as NULL, so we won't try again. */ ++ } ++ ++ strcpy(node->regex_string, regex_string); ++ return node->pattern; ++} ++ ++static int can_handle(const struct sk_buff *skb) ++{ ++ if(!ip_hdr(skb)) /* not IP */ ++ return 0; ++ if(ip_hdr(skb)->protocol != IPPROTO_TCP && ++ ip_hdr(skb)->protocol != IPPROTO_UDP && ++ ip_hdr(skb)->protocol != IPPROTO_ICMP) ++ return 0; ++ return 1; ++} ++ ++/* Returns offset the into the skb->data that the application data starts */ ++static int app_data_offset(const struct sk_buff *skb) ++{ ++ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb) ++ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */ ++ int ip_hl = 4*ip_hdr(skb)->ihl; ++ ++ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) { ++ /* 12 == offset into TCP header for the header length field. ++ Can't get this with skb->h.th->doff because the tcphdr ++ struct doesn't get set when routing (this is confirmed to be ++ true in Netfilter as well as QoS.) */ ++ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4); ++ ++ return ip_hl + tcp_hl; ++ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) { ++ return ip_hl + 8; /* UDP header is always 8 bytes */ ++ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) { ++ return ip_hl + 8; /* ICMP header is 8 bytes */ ++ } else { ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: tried to handle unknown " ++ "protocol!\n"); ++ return ip_hl + 8; /* something reasonable */ ++ } ++} ++ ++/* handles whether there's a match when we aren't appending data anymore */ ++static int match_no_append(struct nf_conn * conntrack, ++ struct nf_conn * master_conntrack, ++ enum ip_conntrack_info ctinfo, ++ enum ip_conntrack_info master_ctinfo, ++ const struct xt_layer7_info * info) ++{ ++ /* If we're in here, throw the app data away */ ++ if(master_conntrack->layer7.app_data != NULL) { ++ ++ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG ++ if(!master_conntrack->layer7.app_proto) { ++ char * f = ++ friendly_print(master_conntrack->layer7.app_data); ++ char * g = ++ hex_print(master_conntrack->layer7.app_data); ++ DPRINTK("\nl7-filter gave up after %d bytes " ++ "(%d packets):\n%s\n", ++ strlen(f), TOTAL_PACKETS, f); ++ kfree(f); ++ DPRINTK("In hex: %s\n", g); ++ kfree(g); ++ } ++ #endif ++ ++ kfree(master_conntrack->layer7.app_data); ++ master_conntrack->layer7.app_data = NULL; /* don't free again */ ++ } ++ ++ if(master_conntrack->layer7.app_proto){ ++ /* Here child connections set their .app_proto (for /proc) */ ++ if(!conntrack->layer7.app_proto) { ++ conntrack->layer7.app_proto = ++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1, ++ GFP_ATOMIC); ++ if(!conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory " ++ "in match_no_append, " ++ "bailing.\n"); ++ return 1; ++ } ++ strcpy(conntrack->layer7.app_proto, ++ master_conntrack->layer7.app_proto); ++ } ++ ++ return (!strcmp(master_conntrack->layer7.app_proto, ++ info->protocol)); ++ } ++ else { ++ /* If not classified, set to "unknown" to distinguish from ++ connections that are still being tested. */ ++ master_conntrack->layer7.app_proto = ++ kmalloc(strlen("unknown")+1, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "match_no_append, bailing.\n"); ++ return 1; ++ } ++ strcpy(master_conntrack->layer7.app_proto, "unknown"); ++ return 0; ++ } ++} ++ ++/* add the new app data to the conntrack. Return number of bytes added. */ ++static int add_data(struct nf_conn * master_conntrack, ++ char * app_data, int appdatalen) ++{ ++ int length = 0, i; ++ int oldlength = master_conntrack->layer7.app_data_len; ++ ++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not ++ clear on whether the race condition exists or whether this really ++ fixes it. I might just be being dense... Anyway, if it's not really ++ a fix, all it does is waste a very small amount of time. */ ++ if(!master_conntrack->layer7.app_data) return 0; ++ ++ /* Strip nulls. Make everything lower case (our regex lib doesn't ++ do case insensitivity). Add it to the end of the current data. */ ++ for(i = 0; i < maxdatalen-oldlength-1 && ++ i < appdatalen; i++) { ++ if(app_data[i] != '\0') { ++ /* the kernel version of tolower mungs 'upper ascii' */ ++ master_conntrack->layer7.app_data[length+oldlength] = ++ isascii(app_data[i])? ++ tolower(app_data[i]) : app_data[i]; ++ length++; ++ } ++ } ++ ++ master_conntrack->layer7.app_data[length+oldlength] = '\0'; ++ master_conntrack->layer7.app_data_len = length + oldlength; ++ ++ return length; ++} ++ ++/* taken from drivers/video/modedb.c */ ++static int my_atoi(const char *s) ++{ ++ int val = 0; ++ ++ for (;; s++) { ++ switch (*s) { ++ case '0'...'9': ++ val = 10*val+(*s-'0'); ++ break; ++ default: ++ return val; ++ } ++ } ++} ++ ++/* write out num_packets to userland. */ ++static int layer7_read_proc(char* page, char ** start, off_t off, int count, ++ int* eof, void * data) ++{ ++ if(num_packets > 99 && net_ratelimit()) ++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n"); ++ ++ page[0] = num_packets/10 + '0'; ++ page[1] = num_packets%10 + '0'; ++ page[2] = '\n'; ++ page[3] = '\0'; ++ ++ *eof=1; ++ ++ return 3; ++} ++ ++/* Read in num_packets from userland */ ++static int layer7_write_proc(struct file* file, const char* buffer, ++ unsigned long count, void *data) ++{ ++ char * foo = kmalloc(count, GFP_ATOMIC); ++ ++ if(!foo){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory, bailing. " ++ "num_packets unchanged.\n"); ++ return count; ++ } ++ ++ if(copy_from_user(foo, buffer, count)) { ++ return -EFAULT; ++ } ++ ++ ++ num_packets = my_atoi(foo); ++ kfree (foo); ++ ++ /* This has an arbitrary limit to make the math easier. I'm lazy. ++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */ ++ if(num_packets > 99) { ++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n"); ++ num_packets = 99; ++ } else if(num_packets < 1) { ++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n"); ++ num_packets = 1; ++ } ++ ++ return count; ++} ++ ++static int ++match(const struct sk_buff *skbin, ++ const struct net_device *in, ++ const struct net_device *out, ++ const struct xt_match *match, ++ const void *matchinfo, ++ int offset, ++ unsigned int protoff, ++ int *hotdrop) ++{ ++ /* sidestep const without getting a compiler warning... */ ++ struct sk_buff * skb = (struct sk_buff *)skbin; ++ ++ const struct xt_layer7_info * info = matchinfo; ++ enum ip_conntrack_info master_ctinfo, ctinfo; ++ struct nf_conn *master_conntrack, *conntrack; ++ unsigned char * app_data; ++ unsigned int pattern_result, appdatalen; ++ regexp * comppattern; ++ ++ /* Be paranoid/incompetent - lock the entire match function. */ ++ spin_lock_bh(&l7_lock); ++ ++ if(!can_handle(skb)){ ++ DPRINTK("layer7: This is some protocol I can't handle.\n"); ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ ++ /* Treat parent & all its children together as one connection, except ++ for the purpose of setting conntrack->layer7.app_proto in the actual ++ connection. This makes /proc/net/ip_conntrack more satisfying. */ ++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) || ++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){ ++ DPRINTK("layer7: couldn't get conntrack.\n"); ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ ++ /* Try to get a master conntrack (and its master etc) for FTP, etc. */ ++ while (master_ct(master_conntrack) != NULL) ++ master_conntrack = master_ct(master_conntrack); ++ ++ /* if we've classified it or seen too many packets */ ++ if(TOTAL_PACKETS > num_packets || ++ master_conntrack->layer7.app_proto) { ++ ++ pattern_result = match_no_append(conntrack, master_conntrack, ++ ctinfo, master_ctinfo, info); ++ ++ /* skb->cb[0] == seen. Don't do things twice if there are ++ multiple l7 rules. I'm not sure that using cb for this purpose ++ is correct, even though it says "put your private variables ++ there". But it doesn't look like it is being used for anything ++ else in the skbs that make it here. */ ++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */ ++ ++ spin_unlock_bh(&l7_lock); ++ return (pattern_result ^ info->invert); ++ } ++ ++ if(skb_is_nonlinear(skb)){ ++ if(skb_linearize(skb) != 0){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: failed to linearize " ++ "packet, bailing.\n"); ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ } ++ ++ /* now that the skb is linearized, it's safe to set these. */ ++ app_data = skb->data + app_data_offset(skb); ++ appdatalen = skb_tail_pointer(skb) - app_data; ++ ++ /* the return value gets checked later, when we're ready to use it */ ++ comppattern = compile_and_cache(info->pattern, info->protocol); ++ ++ /* On the first packet of a connection, allocate space for app data */ ++ if(TOTAL_PACKETS == 1 && !skb->cb[0] && ++ !master_conntrack->layer7.app_data){ ++ master_conntrack->layer7.app_data = ++ kmalloc(maxdatalen, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_data){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "match, bailing.\n"); ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ ++ master_conntrack->layer7.app_data[0] = '\0'; ++ } ++ ++ /* Can be here, but unallocated, if numpackets is increased near ++ the beginning of a connection */ ++ if(master_conntrack->layer7.app_data == NULL){ ++ spin_unlock_bh(&l7_lock); ++ return (info->invert); /* unmatched */ ++ } ++ ++ if(!skb->cb[0]){ ++ int newbytes; ++ newbytes = add_data(master_conntrack, app_data, appdatalen); ++ ++ if(newbytes == 0) { /* didn't add any data */ ++ skb->cb[0] = 1; ++ /* Didn't match before, not going to match now */ ++ spin_unlock_bh(&l7_lock); ++ return info->invert; ++ } ++ } ++ ++ /* If looking for "unknown", then never match. "Unknown" means that ++ we've given up; we're still trying with these packets. */ ++ if(!strcmp(info->protocol, "unknown")) { ++ pattern_result = 0; ++ /* If looking for "unset", then always match. "Unset" means that we ++ haven't yet classified the connection. */ ++ } else if(!strcmp(info->protocol, "unset")) { ++ pattern_result = 2; ++ DPRINTK("layer7: matched unset: not yet classified " ++ "(%d/%d packets)\n", TOTAL_PACKETS, num_packets); ++ /* If the regexp failed to compile, don't bother running it */ ++ } else if(comppattern && ++ regexec(comppattern, master_conntrack->layer7.app_data)){ ++ DPRINTK("layer7: matched %s\n", info->protocol); ++ pattern_result = 1; ++ } else pattern_result = 0; ++ ++ if(pattern_result == 1) { ++ master_conntrack->layer7.app_proto = ++ kmalloc(strlen(info->protocol)+1, GFP_ATOMIC); ++ if(!master_conntrack->layer7.app_proto){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in " ++ "match, bailing.\n"); ++ spin_unlock_bh(&l7_lock); ++ return (pattern_result ^ info->invert); ++ } ++ strcpy(master_conntrack->layer7.app_proto, info->protocol); ++ } else if(pattern_result > 1) { /* cleanup from "unset" */ ++ pattern_result = 1; ++ } ++ ++ /* mark the packet seen */ ++ skb->cb[0] = 1; ++ ++ spin_unlock_bh(&l7_lock); ++ return (pattern_result ^ info->invert); ++} ++ ++static int check(const char *tablename, ++ const void *inf, ++ const struct xt_match *match, ++ void *matchinfo, ++ unsigned int hook_mask) ++ ++{ ++ // load nf_conntrack_ipv4 ++ if (nf_ct_l3proto_try_module_get(match->family) < 0) { ++ printk(KERN_WARNING "can't load conntrack support for " ++ "proto=%d\n", match->family); ++ return false; ++ } ++ return true; ++} ++ ++static void ++destroy(const struct xt_match *match, void *matchinfo) ++{ ++ nf_ct_l3proto_module_put(match->family); ++} ++ ++static struct xt_match xt_layer7_match[] = { ++{ ++ .name = "layer7", ++ .family = AF_INET, ++ .checkentry = check, ++ .match = match, ++ .destroy = destroy, ++ .matchsize = sizeof(struct xt_layer7_info), ++ .me = THIS_MODULE ++} ++}; ++ ++static void layer7_cleanup_proc(void) ++{ ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23) ++ remove_proc_entry("layer7_numpackets", proc_net); ++#else ++ remove_proc_entry("layer7_numpackets", init_net.proc_net); ++#endif ++} ++ ++/* register the proc file */ ++static void layer7_init_proc(void) ++{ ++ struct proc_dir_entry* entry; ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23) ++ entry = create_proc_entry("layer7_numpackets", 0644, proc_net); ++#else ++ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net); ++#endif ++ entry->read_proc = layer7_read_proc; ++ entry->write_proc = layer7_write_proc; ++} ++ ++static int __init xt_layer7_init(void) ++{ ++ need_conntrack(); ++ ++ layer7_init_proc(); ++ if(maxdatalen < 1) { ++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, " ++ "using 1\n"); ++ maxdatalen = 1; ++ } ++ /* This is not a hard limit. It's just here to prevent people from ++ bringing their slow machines to a grinding halt. */ ++ else if(maxdatalen > 65536) { ++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, " ++ "using 65536\n"); ++ maxdatalen = 65536; ++ } ++ return xt_register_matches(xt_layer7_match, ++ ARRAY_SIZE(xt_layer7_match)); ++} ++ ++static void __exit xt_layer7_fini(void) ++{ ++ layer7_cleanup_proc(); ++ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match)); ++} ++ ++module_init(xt_layer7_init); ++module_exit(xt_layer7_fini); +Index: linux-2.6.21.7/net/netfilter/regexp/regexp.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/regexp/regexp.c +@@ -0,0 +1,1197 @@ ++/* ++ * regcomp and regexec -- regsub and regerror are elsewhere ++ * @(#)regexp.c 1.3 of 18 April 87 ++ * ++ * Copyright (c) 1986 by University of Toronto. ++ * Written by Henry Spencer. Not derived from licensed software. ++ * ++ * Permission is granted to anyone to use this software for any ++ * purpose on any computer system, and to redistribute it freely, ++ * subject to the following restrictions: ++ * ++ * 1. The author is not responsible for the consequences of use of ++ * this software, no matter how awful, even if they arise ++ * from defects in it. ++ * ++ * 2. The origin of this software must not be misrepresented, either ++ * by explicit claim or by omission. ++ * ++ * 3. Altered versions must be plainly marked as such, and must not ++ * be misrepresented as being the original software. ++ * ++ * Beware that some of this code is subtly aware of the way operator ++ * precedence is structured in regular expressions. Serious changes in ++ * regular-expression syntax might require a total rethink. ++ * ++ * This code was modified by Ethan Sommer to work within the kernel ++ * (it now uses kmalloc etc..) ++ * ++ * Modified slightly by Matthew Strait to use more modern C. ++ */ ++ ++#include "regexp.h" ++#include "regmagic.h" ++ ++/* added by ethan and matt. Lets it work in both kernel and user space. ++(So iptables can use it, for instance.) Yea, it goes both ways... */ ++#if __KERNEL__ ++ #define malloc(foo) kmalloc(foo,GFP_ATOMIC) ++#else ++ #define printk(format,args...) printf(format,##args) ++#endif ++ ++void regerror(char * s) ++{ ++ printk("<3>Regexp: %s\n", s); ++ /* NOTREACHED */ ++} ++ ++/* ++ * The "internal use only" fields in regexp.h are present to pass info from ++ * compile to execute that permits the execute phase to run lots faster on ++ * simple cases. They are: ++ * ++ * regstart char that must begin a match; '\0' if none obvious ++ * reganch is the match anchored (at beginning-of-line only)? ++ * regmust string (pointer into program) that match must include, or NULL ++ * regmlen length of regmust string ++ * ++ * Regstart and reganch permit very fast decisions on suitable starting points ++ * for a match, cutting down the work a lot. Regmust permits fast rejection ++ * of lines that cannot possibly match. The regmust tests are costly enough ++ * that regcomp() supplies a regmust only if the r.e. contains something ++ * potentially expensive (at present, the only such thing detected is * or + ++ * at the start of the r.e., which can involve a lot of backup). Regmlen is ++ * supplied because the test in regexec() needs it and regcomp() is computing ++ * it anyway. ++ */ ++ ++/* ++ * Structure for regexp "program". This is essentially a linear encoding ++ * of a nondeterministic finite-state machine (aka syntax charts or ++ * "railroad normal form" in parsing technology). Each node is an opcode ++ * plus a "next" pointer, possibly plus an operand. "Next" pointers of ++ * all nodes except BRANCH implement concatenation; a "next" pointer with ++ * a BRANCH on both ends of it is connecting two alternatives. (Here we ++ * have one of the subtle syntax dependencies: an individual BRANCH (as ++ * opposed to a collection of them) is never concatenated with anything ++ * because of operator precedence.) The operand of some types of node is ++ * a literal string; for others, it is a node leading into a sub-FSM. In ++ * particular, the operand of a BRANCH node is the first node of the branch. ++ * (NB this is *not* a tree structure: the tail of the branch connects ++ * to the thing following the set of BRANCHes.) The opcodes are: ++ */ ++ ++/* definition number opnd? meaning */ ++#define END 0 /* no End of program. */ ++#define BOL 1 /* no Match "" at beginning of line. */ ++#define EOL 2 /* no Match "" at end of line. */ ++#define ANY 3 /* no Match any one character. */ ++#define ANYOF 4 /* str Match any character in this string. */ ++#define ANYBUT 5 /* str Match any character not in this string. */ ++#define BRANCH 6 /* node Match this alternative, or the next... */ ++#define BACK 7 /* no Match "", "next" ptr points backward. */ ++#define EXACTLY 8 /* str Match this string. */ ++#define NOTHING 9 /* no Match empty string. */ ++#define STAR 10 /* node Match this (simple) thing 0 or more times. */ ++#define PLUS 11 /* node Match this (simple) thing 1 or more times. */ ++#define OPEN 20 /* no Mark this point in input as start of #n. */ ++ /* OPEN+1 is number 1, etc. */ ++#define CLOSE 30 /* no Analogous to OPEN. */ ++ ++/* ++ * Opcode notes: ++ * ++ * BRANCH The set of branches constituting a single choice are hooked ++ * together with their "next" pointers, since precedence prevents ++ * anything being concatenated to any individual branch. The ++ * "next" pointer of the last BRANCH in a choice points to the ++ * thing following the whole choice. This is also where the ++ * final "next" pointer of each individual branch points; each ++ * branch starts with the operand node of a BRANCH node. ++ * ++ * BACK Normal "next" pointers all implicitly point forward; BACK ++ * exists to make loop structures possible. ++ * ++ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular ++ * BRANCH structures using BACK. Simple cases (one character ++ * per match) are implemented with STAR and PLUS for speed ++ * and to minimize recursive plunges. ++ * ++ * OPEN,CLOSE ...are numbered at compile time. ++ */ ++ ++/* ++ * A node is one char of opcode followed by two chars of "next" pointer. ++ * "Next" pointers are stored as two 8-bit pieces, high order first. The ++ * value is a positive offset from the opcode of the node containing it. ++ * An operand, if any, simply follows the node. (Note that much of the ++ * code generation knows about this implicit relationship.) ++ * ++ * Using two bytes for the "next" pointer is vast overkill for most things, ++ * but allows patterns to get big without disasters. ++ */ ++#define OP(p) (*(p)) ++#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377)) ++#define OPERAND(p) ((p) + 3) ++ ++/* ++ * See regmagic.h for one further detail of program structure. ++ */ ++ ++ ++/* ++ * Utility definitions. ++ */ ++#ifndef CHARBITS ++#define UCHARAT(p) ((int)*(unsigned char *)(p)) ++#else ++#define UCHARAT(p) ((int)*(p)&CHARBITS) ++#endif ++ ++#define FAIL(m) { regerror(m); return(NULL); } ++#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?') ++#define META "^$.[()|?+*\\" ++ ++/* ++ * Flags to be passed up and down. ++ */ ++#define HASWIDTH 01 /* Known never to match null string. */ ++#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */ ++#define SPSTART 04 /* Starts with * or +. */ ++#define WORST 0 /* Worst case. */ ++ ++/* ++ * Global work variables for regcomp(). ++ */ ++struct match_globals { ++char *reginput; /* String-input pointer. */ ++char *regbol; /* Beginning of input, for ^ check. */ ++char **regstartp; /* Pointer to startp array. */ ++char **regendp; /* Ditto for endp. */ ++char *regparse; /* Input-scan pointer. */ ++int regnpar; /* () count. */ ++char regdummy; ++char *regcode; /* Code-emit pointer; ®dummy = don't. */ ++long regsize; /* Code size. */ ++}; ++ ++/* ++ * Forward declarations for regcomp()'s friends. ++ */ ++#ifndef STATIC ++#define STATIC static ++#endif ++STATIC char *reg(struct match_globals *g, int paren,int *flagp); ++STATIC char *regbranch(struct match_globals *g, int *flagp); ++STATIC char *regpiece(struct match_globals *g, int *flagp); ++STATIC char *regatom(struct match_globals *g, int *flagp); ++STATIC char *regnode(struct match_globals *g, char op); ++STATIC char *regnext(struct match_globals *g, char *p); ++STATIC void regc(struct match_globals *g, char b); ++STATIC void reginsert(struct match_globals *g, char op, char *opnd); ++STATIC void regtail(struct match_globals *g, char *p, char *val); ++STATIC void regoptail(struct match_globals *g, char *p, char *val); ++ ++ ++__kernel_size_t my_strcspn(const char *s1,const char *s2) ++{ ++ char *scan1; ++ char *scan2; ++ int count; ++ ++ count = 0; ++ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) { ++ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */ ++ if (*scan1 == *scan2++) ++ return(count); ++ count++; ++ } ++ return(count); ++} ++ ++/* ++ - regcomp - compile a regular expression into internal code ++ * ++ * We can't allocate space until we know how big the compiled form will be, ++ * but we can't compile it (and thus know how big it is) until we've got a ++ * place to put the code. So we cheat: we compile it twice, once with code ++ * generation turned off and size counting turned on, and once "for real". ++ * This also means that we don't allocate space until we are sure that the ++ * thing really will compile successfully, and we never have to move the ++ * code and thus invalidate pointers into it. (Note that it has to be in ++ * one piece because free() must be able to free it all.) ++ * ++ * Beware that the optimization-preparation code in here knows about some ++ * of the structure of the compiled regexp. ++ */ ++regexp * ++regcomp(char *exp,int *patternsize) ++{ ++ register regexp *r; ++ register char *scan; ++ register char *longest; ++ register int len; ++ int flags; ++ struct match_globals g; ++ ++ /* commented out by ethan ++ extern char *malloc(); ++ */ ++ ++ if (exp == NULL) ++ FAIL("NULL argument"); ++ ++ /* First pass: determine size, legality. */ ++ g.regparse = exp; ++ g.regnpar = 1; ++ g.regsize = 0L; ++ g.regcode = &g.regdummy; ++ regc(&g, MAGIC); ++ if (reg(&g, 0, &flags) == NULL) ++ return(NULL); ++ ++ /* Small enough for pointer-storage convention? */ ++ if (g.regsize >= 32767L) /* Probably could be 65535L. */ ++ FAIL("regexp too big"); ++ ++ /* Allocate space. */ ++ *patternsize=sizeof(regexp) + (unsigned)g.regsize; ++ r = (regexp *)malloc(sizeof(regexp) + (unsigned)g.regsize); ++ if (r == NULL) ++ FAIL("out of space"); ++ ++ /* Second pass: emit code. */ ++ g.regparse = exp; ++ g.regnpar = 1; ++ g.regcode = r->program; ++ regc(&g, MAGIC); ++ if (reg(&g, 0, &flags) == NULL) ++ return(NULL); ++ ++ /* Dig out information for optimizations. */ ++ r->regstart = '\0'; /* Worst-case defaults. */ ++ r->reganch = 0; ++ r->regmust = NULL; ++ r->regmlen = 0; ++ scan = r->program+1; /* First BRANCH. */ ++ if (OP(regnext(&g, scan)) == END) { /* Only one top-level choice. */ ++ scan = OPERAND(scan); ++ ++ /* Starting-point info. */ ++ if (OP(scan) == EXACTLY) ++ r->regstart = *OPERAND(scan); ++ else if (OP(scan) == BOL) ++ r->reganch++; ++ ++ /* ++ * If there's something expensive in the r.e., find the ++ * longest literal string that must appear and make it the ++ * regmust. Resolve ties in favor of later strings, since ++ * the regstart check works with the beginning of the r.e. ++ * and avoiding duplication strengthens checking. Not a ++ * strong reason, but sufficient in the absence of others. ++ */ ++ if (flags&SPSTART) { ++ longest = NULL; ++ len = 0; ++ for (; scan != NULL; scan = regnext(&g, scan)) ++ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) { ++ longest = OPERAND(scan); ++ len = strlen(OPERAND(scan)); ++ } ++ r->regmust = longest; ++ r->regmlen = len; ++ } ++ } ++ ++ return(r); ++} ++ ++/* ++ - reg - regular expression, i.e. main body or parenthesized thing ++ * ++ * Caller must absorb opening parenthesis. ++ * ++ * Combining parenthesis handling with the base level of regular expression ++ * is a trifle forced, but the need to tie the tails of the branches to what ++ * follows makes it hard to avoid. ++ */ ++static char * ++reg(struct match_globals *g, int paren, int *flagp /* Parenthesized? */ ) ++{ ++ register char *ret; ++ register char *br; ++ register char *ender; ++ register int parno = 0; /* 0 makes gcc happy */ ++ int flags; ++ ++ *flagp = HASWIDTH; /* Tentatively. */ ++ ++ /* Make an OPEN node, if parenthesized. */ ++ if (paren) { ++ if (g->regnpar >= NSUBEXP) ++ FAIL("too many ()"); ++ parno = g->regnpar; ++ g->regnpar++; ++ ret = regnode(g, OPEN+parno); ++ } else ++ ret = NULL; ++ ++ /* Pick up the branches, linking them together. */ ++ br = regbranch(g, &flags); ++ if (br == NULL) ++ return(NULL); ++ if (ret != NULL) ++ regtail(g, ret, br); /* OPEN -> first. */ ++ else ++ ret = br; ++ if (!(flags&HASWIDTH)) ++ *flagp &= ~HASWIDTH; ++ *flagp |= flags&SPSTART; ++ while (*g->regparse == '|') { ++ g->regparse++; ++ br = regbranch(g, &flags); ++ if (br == NULL) ++ return(NULL); ++ regtail(g, ret, br); /* BRANCH -> BRANCH. */ ++ if (!(flags&HASWIDTH)) ++ *flagp &= ~HASWIDTH; ++ *flagp |= flags&SPSTART; ++ } ++ ++ /* Make a closing node, and hook it on the end. */ ++ ender = regnode(g, (paren) ? CLOSE+parno : END); ++ regtail(g, ret, ender); ++ ++ /* Hook the tails of the branches to the closing node. */ ++ for (br = ret; br != NULL; br = regnext(g, br)) ++ regoptail(g, br, ender); ++ ++ /* Check for proper termination. */ ++ if (paren && *g->regparse++ != ')') { ++ FAIL("unmatched ()"); ++ } else if (!paren && *g->regparse != '\0') { ++ if (*g->regparse == ')') { ++ FAIL("unmatched ()"); ++ } else ++ FAIL("junk on end"); /* "Can't happen". */ ++ /* NOTREACHED */ ++ } ++ ++ return(ret); ++} ++ ++/* ++ - regbranch - one alternative of an | operator ++ * ++ * Implements the concatenation operator. ++ */ ++static char * ++regbranch(struct match_globals *g, int *flagp) ++{ ++ register char *ret; ++ register char *chain; ++ register char *latest; ++ int flags; ++ ++ *flagp = WORST; /* Tentatively. */ ++ ++ ret = regnode(g, BRANCH); ++ chain = NULL; ++ while (*g->regparse != '\0' && *g->regparse != '|' && *g->regparse != ')') { ++ latest = regpiece(g, &flags); ++ if (latest == NULL) ++ return(NULL); ++ *flagp |= flags&HASWIDTH; ++ if (chain == NULL) /* First piece. */ ++ *flagp |= flags&SPSTART; ++ else ++ regtail(g, chain, latest); ++ chain = latest; ++ } ++ if (chain == NULL) /* Loop ran zero times. */ ++ (void) regnode(g, NOTHING); ++ ++ return(ret); ++} ++ ++/* ++ - regpiece - something followed by possible [*+?] ++ * ++ * Note that the branching code sequences used for ? and the general cases ++ * of * and + are somewhat optimized: they use the same NOTHING node as ++ * both the endmarker for their branch list and the body of the last branch. ++ * It might seem that this node could be dispensed with entirely, but the ++ * endmarker role is not redundant. ++ */ ++static char * ++regpiece(struct match_globals *g, int *flagp) ++{ ++ register char *ret; ++ register char op; ++ register char *next; ++ int flags; ++ ++ ret = regatom(g, &flags); ++ if (ret == NULL) ++ return(NULL); ++ ++ op = *g->regparse; ++ if (!ISMULT(op)) { ++ *flagp = flags; ++ return(ret); ++ } ++ ++ if (!(flags&HASWIDTH) && op != '?') ++ FAIL("*+ operand could be empty"); ++ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH); ++ ++ if (op == '*' && (flags&SIMPLE)) ++ reginsert(g, STAR, ret); ++ else if (op == '*') { ++ /* Emit x* as (x&|), where & means "self". */ ++ reginsert(g, BRANCH, ret); /* Either x */ ++ regoptail(g, ret, regnode(g, BACK)); /* and loop */ ++ regoptail(g, ret, ret); /* back */ ++ regtail(g, ret, regnode(g, BRANCH)); /* or */ ++ regtail(g, ret, regnode(g, NOTHING)); /* null. */ ++ } else if (op == '+' && (flags&SIMPLE)) ++ reginsert(g, PLUS, ret); ++ else if (op == '+') { ++ /* Emit x+ as x(&|), where & means "self". */ ++ next = regnode(g, BRANCH); /* Either */ ++ regtail(g, ret, next); ++ regtail(g, regnode(g, BACK), ret); /* loop back */ ++ regtail(g, next, regnode(g, BRANCH)); /* or */ ++ regtail(g, ret, regnode(g, NOTHING)); /* null. */ ++ } else if (op == '?') { ++ /* Emit x? as (x|) */ ++ reginsert(g, BRANCH, ret); /* Either x */ ++ regtail(g, ret, regnode(g, BRANCH)); /* or */ ++ next = regnode(g, NOTHING); /* null. */ ++ regtail(g, ret, next); ++ regoptail(g, ret, next); ++ } ++ g->regparse++; ++ if (ISMULT(*g->regparse)) ++ FAIL("nested *?+"); ++ ++ return(ret); ++} ++ ++/* ++ - regatom - the lowest level ++ * ++ * Optimization: gobbles an entire sequence of ordinary characters so that ++ * it can turn them into a single node, which is smaller to store and ++ * faster to run. Backslashed characters are exceptions, each becoming a ++ * separate node; the code is simpler that way and it's not worth fixing. ++ */ ++static char * ++regatom(struct match_globals *g, int *flagp) ++{ ++ register char *ret; ++ int flags; ++ ++ *flagp = WORST; /* Tentatively. */ ++ ++ switch (*g->regparse++) { ++ case '^': ++ ret = regnode(g, BOL); ++ break; ++ case '$': ++ ret = regnode(g, EOL); ++ break; ++ case '.': ++ ret = regnode(g, ANY); ++ *flagp |= HASWIDTH|SIMPLE; ++ break; ++ case '[': { ++ register int class; ++ register int classend; ++ ++ if (*g->regparse == '^') { /* Complement of range. */ ++ ret = regnode(g, ANYBUT); ++ g->regparse++; ++ } else ++ ret = regnode(g, ANYOF); ++ if (*g->regparse == ']' || *g->regparse == '-') ++ regc(g, *g->regparse++); ++ while (*g->regparse != '\0' && *g->regparse != ']') { ++ if (*g->regparse == '-') { ++ g->regparse++; ++ if (*g->regparse == ']' || *g->regparse == '\0') ++ regc(g, '-'); ++ else { ++ class = UCHARAT(g->regparse-2)+1; ++ classend = UCHARAT(g->regparse); ++ if (class > classend+1) ++ FAIL("invalid [] range"); ++ for (; class <= classend; class++) ++ regc(g, class); ++ g->regparse++; ++ } ++ } else ++ regc(g, *g->regparse++); ++ } ++ regc(g, '\0'); ++ if (*g->regparse != ']') ++ FAIL("unmatched []"); ++ g->regparse++; ++ *flagp |= HASWIDTH|SIMPLE; ++ } ++ break; ++ case '(': ++ ret = reg(g, 1, &flags); ++ if (ret == NULL) ++ return(NULL); ++ *flagp |= flags&(HASWIDTH|SPSTART); ++ break; ++ case '\0': ++ case '|': ++ case ')': ++ FAIL("internal urp"); /* Supposed to be caught earlier. */ ++ break; ++ case '?': ++ case '+': ++ case '*': ++ FAIL("?+* follows nothing"); ++ break; ++ case '\\': ++ if (*g->regparse == '\0') ++ FAIL("trailing \\"); ++ ret = regnode(g, EXACTLY); ++ regc(g, *g->regparse++); ++ regc(g, '\0'); ++ *flagp |= HASWIDTH|SIMPLE; ++ break; ++ default: { ++ register int len; ++ register char ender; ++ ++ g->regparse--; ++ len = my_strcspn((const char *)g->regparse, (const char *)META); ++ if (len <= 0) ++ FAIL("internal disaster"); ++ ender = *(g->regparse+len); ++ if (len > 1 && ISMULT(ender)) ++ len--; /* Back off clear of ?+* operand. */ ++ *flagp |= HASWIDTH; ++ if (len == 1) ++ *flagp |= SIMPLE; ++ ret = regnode(g, EXACTLY); ++ while (len > 0) { ++ regc(g, *g->regparse++); ++ len--; ++ } ++ regc(g, '\0'); ++ } ++ break; ++ } ++ ++ return(ret); ++} ++ ++/* ++ - regnode - emit a node ++ */ ++static char * /* Location. */ ++regnode(struct match_globals *g, char op) ++{ ++ register char *ret; ++ register char *ptr; ++ ++ ret = g->regcode; ++ if (ret == &g->regdummy) { ++ g->regsize += 3; ++ return(ret); ++ } ++ ++ ptr = ret; ++ *ptr++ = op; ++ *ptr++ = '\0'; /* Null "next" pointer. */ ++ *ptr++ = '\0'; ++ g->regcode = ptr; ++ ++ return(ret); ++} ++ ++/* ++ - regc - emit (if appropriate) a byte of code ++ */ ++static void ++regc(struct match_globals *g, char b) ++{ ++ if (g->regcode != &g->regdummy) ++ *g->regcode++ = b; ++ else ++ g->regsize++; ++} ++ ++/* ++ - reginsert - insert an operator in front of already-emitted operand ++ * ++ * Means relocating the operand. ++ */ ++static void ++reginsert(struct match_globals *g, char op, char* opnd) ++{ ++ register char *src; ++ register char *dst; ++ register char *place; ++ ++ if (g->regcode == &g->regdummy) { ++ g->regsize += 3; ++ return; ++ } ++ ++ src = g->regcode; ++ g->regcode += 3; ++ dst = g->regcode; ++ while (src > opnd) ++ *--dst = *--src; ++ ++ place = opnd; /* Op node, where operand used to be. */ ++ *place++ = op; ++ *place++ = '\0'; ++ *place++ = '\0'; ++} ++ ++/* ++ - regtail - set the next-pointer at the end of a node chain ++ */ ++static void ++regtail(struct match_globals *g, char *p, char *val) ++{ ++ register char *scan; ++ register char *temp; ++ register int offset; ++ ++ if (p == &g->regdummy) ++ return; ++ ++ /* Find last node. */ ++ scan = p; ++ for (;;) { ++ temp = regnext(g, scan); ++ if (temp == NULL) ++ break; ++ scan = temp; ++ } ++ ++ if (OP(scan) == BACK) ++ offset = scan - val; ++ else ++ offset = val - scan; ++ *(scan+1) = (offset>>8)&0377; ++ *(scan+2) = offset&0377; ++} ++ ++/* ++ - regoptail - regtail on operand of first argument; nop if operandless ++ */ ++static void ++regoptail(struct match_globals *g, char *p, char *val) ++{ ++ /* "Operandless" and "op != BRANCH" are synonymous in practice. */ ++ if (p == NULL || p == &g->regdummy || OP(p) != BRANCH) ++ return; ++ regtail(g, OPERAND(p), val); ++} ++ ++/* ++ * regexec and friends ++ */ ++ ++ ++/* ++ * Forwards. ++ */ ++STATIC int regtry(struct match_globals *g, regexp *prog, char *string); ++STATIC int regmatch(struct match_globals *g, char *prog); ++STATIC int regrepeat(struct match_globals *g, char *p); ++ ++#ifdef DEBUG ++int regnarrate = 0; ++void regdump(); ++STATIC char *regprop(char *op); ++#endif ++ ++/* ++ - regexec - match a regexp against a string ++ */ ++int ++regexec(regexp *prog, char *string) ++{ ++ register char *s; ++ struct match_globals g; ++ ++ /* Be paranoid... */ ++ if (prog == NULL || string == NULL) { ++ printk("<3>Regexp: NULL parameter\n"); ++ return(0); ++ } ++ ++ /* Check validity of program. */ ++ if (UCHARAT(prog->program) != MAGIC) { ++ printk("<3>Regexp: corrupted program\n"); ++ return(0); ++ } ++ ++ /* If there is a "must appear" string, look for it. */ ++ if (prog->regmust != NULL) { ++ s = string; ++ while ((s = strchr(s, prog->regmust[0])) != NULL) { ++ if (strncmp(s, prog->regmust, prog->regmlen) == 0) ++ break; /* Found it. */ ++ s++; ++ } ++ if (s == NULL) /* Not present. */ ++ return(0); ++ } ++ ++ /* Mark beginning of line for ^ . */ ++ g.regbol = string; ++ ++ /* Simplest case: anchored match need be tried only once. */ ++ if (prog->reganch) ++ return(regtry(&g, prog, string)); ++ ++ /* Messy cases: unanchored match. */ ++ s = string; ++ if (prog->regstart != '\0') ++ /* We know what char it must start with. */ ++ while ((s = strchr(s, prog->regstart)) != NULL) { ++ if (regtry(&g, prog, s)) ++ return(1); ++ s++; ++ } ++ else ++ /* We don't -- general case. */ ++ do { ++ if (regtry(&g, prog, s)) ++ return(1); ++ } while (*s++ != '\0'); ++ ++ /* Failure. */ ++ return(0); ++} ++ ++/* ++ - regtry - try match at specific point ++ */ ++static int /* 0 failure, 1 success */ ++regtry(struct match_globals *g, regexp *prog, char *string) ++{ ++ register int i; ++ register char **sp; ++ register char **ep; ++ ++ g->reginput = string; ++ g->regstartp = prog->startp; ++ g->regendp = prog->endp; ++ ++ sp = prog->startp; ++ ep = prog->endp; ++ for (i = NSUBEXP; i > 0; i--) { ++ *sp++ = NULL; ++ *ep++ = NULL; ++ } ++ if (regmatch(g, prog->program + 1)) { ++ prog->startp[0] = string; ++ prog->endp[0] = g->reginput; ++ return(1); ++ } else ++ return(0); ++} ++ ++/* ++ - regmatch - main matching routine ++ * ++ * Conceptually the strategy is simple: check to see whether the current ++ * node matches, call self recursively to see whether the rest matches, ++ * and then act accordingly. In practice we make some effort to avoid ++ * recursion, in particular by going through "ordinary" nodes (that don't ++ * need to know whether the rest of the match failed) by a loop instead of ++ * by recursion. ++ */ ++static int /* 0 failure, 1 success */ ++regmatch(struct match_globals *g, char *prog) ++{ ++ register char *scan = prog; /* Current node. */ ++ char *next; /* Next node. */ ++ ++#ifdef DEBUG ++ if (scan != NULL && regnarrate) ++ fprintf(stderr, "%s(\n", regprop(scan)); ++#endif ++ while (scan != NULL) { ++#ifdef DEBUG ++ if (regnarrate) ++ fprintf(stderr, "%s...\n", regprop(scan)); ++#endif ++ next = regnext(g, scan); ++ ++ switch (OP(scan)) { ++ case BOL: ++ if (g->reginput != g->regbol) ++ return(0); ++ break; ++ case EOL: ++ if (*g->reginput != '\0') ++ return(0); ++ break; ++ case ANY: ++ if (*g->reginput == '\0') ++ return(0); ++ g->reginput++; ++ break; ++ case EXACTLY: { ++ register int len; ++ register char *opnd; ++ ++ opnd = OPERAND(scan); ++ /* Inline the first character, for speed. */ ++ if (*opnd != *g->reginput) ++ return(0); ++ len = strlen(opnd); ++ if (len > 1 && strncmp(opnd, g->reginput, len) != 0) ++ return(0); ++ g->reginput += len; ++ } ++ break; ++ case ANYOF: ++ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) == NULL) ++ return(0); ++ g->reginput++; ++ break; ++ case ANYBUT: ++ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) != NULL) ++ return(0); ++ g->reginput++; ++ break; ++ case NOTHING: ++ case BACK: ++ break; ++ case OPEN+1: ++ case OPEN+2: ++ case OPEN+3: ++ case OPEN+4: ++ case OPEN+5: ++ case OPEN+6: ++ case OPEN+7: ++ case OPEN+8: ++ case OPEN+9: { ++ register int no; ++ register char *save; ++ ++ no = OP(scan) - OPEN; ++ save = g->reginput; ++ ++ if (regmatch(g, next)) { ++ /* ++ * Don't set startp if some later ++ * invocation of the same parentheses ++ * already has. ++ */ ++ if (g->regstartp[no] == NULL) ++ g->regstartp[no] = save; ++ return(1); ++ } else ++ return(0); ++ } ++ break; ++ case CLOSE+1: ++ case CLOSE+2: ++ case CLOSE+3: ++ case CLOSE+4: ++ case CLOSE+5: ++ case CLOSE+6: ++ case CLOSE+7: ++ case CLOSE+8: ++ case CLOSE+9: ++ { ++ register int no; ++ register char *save; ++ ++ no = OP(scan) - CLOSE; ++ save = g->reginput; ++ ++ if (regmatch(g, next)) { ++ /* ++ * Don't set endp if some later ++ * invocation of the same parentheses ++ * already has. ++ */ ++ if (g->regendp[no] == NULL) ++ g->regendp[no] = save; ++ return(1); ++ } else ++ return(0); ++ } ++ break; ++ case BRANCH: { ++ register char *save; ++ ++ if (OP(next) != BRANCH) /* No choice. */ ++ next = OPERAND(scan); /* Avoid recursion. */ ++ else { ++ do { ++ save = g->reginput; ++ if (regmatch(g, OPERAND(scan))) ++ return(1); ++ g->reginput = save; ++ scan = regnext(g, scan); ++ } while (scan != NULL && OP(scan) == BRANCH); ++ return(0); ++ /* NOTREACHED */ ++ } ++ } ++ break; ++ case STAR: ++ case PLUS: { ++ register char nextch; ++ register int no; ++ register char *save; ++ register int min; ++ ++ /* ++ * Lookahead to avoid useless match attempts ++ * when we know what character comes next. ++ */ ++ nextch = '\0'; ++ if (OP(next) == EXACTLY) ++ nextch = *OPERAND(next); ++ min = (OP(scan) == STAR) ? 0 : 1; ++ save = g->reginput; ++ no = regrepeat(g, OPERAND(scan)); ++ while (no >= min) { ++ /* If it could work, try it. */ ++ if (nextch == '\0' || *g->reginput == nextch) ++ if (regmatch(g, next)) ++ return(1); ++ /* Couldn't or didn't -- back up. */ ++ no--; ++ g->reginput = save + no; ++ } ++ return(0); ++ } ++ break; ++ case END: ++ return(1); /* Success! */ ++ break; ++ default: ++ printk("<3>Regexp: memory corruption\n"); ++ return(0); ++ break; ++ } ++ ++ scan = next; ++ } ++ ++ /* ++ * We get here only if there's trouble -- normally "case END" is ++ * the terminating point. ++ */ ++ printk("<3>Regexp: corrupted pointers\n"); ++ return(0); ++} ++ ++/* ++ - regrepeat - repeatedly match something simple, report how many ++ */ ++static int ++regrepeat(struct match_globals *g, char *p) ++{ ++ register int count = 0; ++ register char *scan; ++ register char *opnd; ++ ++ scan = g->reginput; ++ opnd = OPERAND(p); ++ switch (OP(p)) { ++ case ANY: ++ count = strlen(scan); ++ scan += count; ++ break; ++ case EXACTLY: ++ while (*opnd == *scan) { ++ count++; ++ scan++; ++ } ++ break; ++ case ANYOF: ++ while (*scan != '\0' && strchr(opnd, *scan) != NULL) { ++ count++; ++ scan++; ++ } ++ break; ++ case ANYBUT: ++ while (*scan != '\0' && strchr(opnd, *scan) == NULL) { ++ count++; ++ scan++; ++ } ++ break; ++ default: /* Oh dear. Called inappropriately. */ ++ printk("<3>Regexp: internal foulup\n"); ++ count = 0; /* Best compromise. */ ++ break; ++ } ++ g->reginput = scan; ++ ++ return(count); ++} ++ ++/* ++ - regnext - dig the "next" pointer out of a node ++ */ ++static char* ++regnext(struct match_globals *g, char *p) ++{ ++ register int offset; ++ ++ if (p == &g->regdummy) ++ return(NULL); ++ ++ offset = NEXT(p); ++ if (offset == 0) ++ return(NULL); ++ ++ if (OP(p) == BACK) ++ return(p-offset); ++ else ++ return(p+offset); ++} ++ ++#ifdef DEBUG ++ ++STATIC char *regprop(); ++ ++/* ++ - regdump - dump a regexp onto stdout in vaguely comprehensible form ++ */ ++void ++regdump(regexp *r) ++{ ++ register char *s; ++ register char op = EXACTLY; /* Arbitrary non-END op. */ ++ register char *next; ++ /* extern char *strchr(); */ ++ ++ ++ s = r->program + 1; ++ while (op != END) { /* While that wasn't END last time... */ ++ op = OP(s); ++ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */ ++ next = regnext(s); ++ if (next == NULL) /* Next ptr. */ ++ printf("(0)"); ++ else ++ printf("(%d)", (s-r->program)+(next-s)); ++ s += 3; ++ if (op == ANYOF || op == ANYBUT || op == EXACTLY) { ++ /* Literal string, where present. */ ++ while (*s != '\0') { ++ putchar(*s); ++ s++; ++ } ++ s++; ++ } ++ putchar('\n'); ++ } ++ ++ /* Header fields of interest. */ ++ if (r->regstart != '\0') ++ printf("start `%c' ", r->regstart); ++ if (r->reganch) ++ printf("anchored "); ++ if (r->regmust != NULL) ++ printf("must have \"%s\"", r->regmust); ++ printf("\n"); ++} ++ ++/* ++ - regprop - printable representation of opcode ++ */ ++static char * ++regprop(char *op) ++{ ++#define BUFLEN 50 ++ register char *p; ++ static char buf[BUFLEN]; ++ ++ strcpy(buf, ":"); ++ ++ switch (OP(op)) { ++ case BOL: ++ p = "BOL"; ++ break; ++ case EOL: ++ p = "EOL"; ++ break; ++ case ANY: ++ p = "ANY"; ++ break; ++ case ANYOF: ++ p = "ANYOF"; ++ break; ++ case ANYBUT: ++ p = "ANYBUT"; ++ break; ++ case BRANCH: ++ p = "BRANCH"; ++ break; ++ case EXACTLY: ++ p = "EXACTLY"; ++ break; ++ case NOTHING: ++ p = "NOTHING"; ++ break; ++ case BACK: ++ p = "BACK"; ++ break; ++ case END: ++ p = "END"; ++ break; ++ case OPEN+1: ++ case OPEN+2: ++ case OPEN+3: ++ case OPEN+4: ++ case OPEN+5: ++ case OPEN+6: ++ case OPEN+7: ++ case OPEN+8: ++ case OPEN+9: ++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN); ++ p = NULL; ++ break; ++ case CLOSE+1: ++ case CLOSE+2: ++ case CLOSE+3: ++ case CLOSE+4: ++ case CLOSE+5: ++ case CLOSE+6: ++ case CLOSE+7: ++ case CLOSE+8: ++ case CLOSE+9: ++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE); ++ p = NULL; ++ break; ++ case STAR: ++ p = "STAR"; ++ break; ++ case PLUS: ++ p = "PLUS"; ++ break; ++ default: ++ printk("<3>Regexp: corrupted opcode\n"); ++ break; ++ } ++ if (p != NULL) ++ strncat(buf, p, BUFLEN-strlen(buf)); ++ return(buf); ++} ++#endif ++ ++ +Index: linux-2.6.21.7/net/netfilter/regexp/regexp.h +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/regexp/regexp.h +@@ -0,0 +1,41 @@ ++/* ++ * Definitions etc. for regexp(3) routines. ++ * ++ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof], ++ * not the System V one. ++ */ ++ ++#ifndef REGEXP_H ++#define REGEXP_H ++ ++ ++/* ++http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h , ++which contains a version of this library, says: ++ ++ * ++ * NSUBEXP must be at least 10, and no greater than 117 or the parser ++ * will not work properly. ++ * ++ ++However, it looks rather like this library is limited to 10. If you think ++otherwise, let us know. ++*/ ++ ++#define NSUBEXP 10 ++typedef struct regexp { ++ char *startp[NSUBEXP]; ++ char *endp[NSUBEXP]; ++ char regstart; /* Internal use only. */ ++ char reganch; /* Internal use only. */ ++ char *regmust; /* Internal use only. */ ++ int regmlen; /* Internal use only. */ ++ char program[1]; /* Unwarranted chumminess with compiler. */ ++} regexp; ++ ++regexp * regcomp(char *exp, int *patternsize); ++int regexec(regexp *prog, char *string); ++void regsub(regexp *prog, char *source, char *dest); ++void regerror(char *s); ++ ++#endif +Index: linux-2.6.21.7/net/netfilter/regexp/regmagic.h +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/regexp/regmagic.h +@@ -0,0 +1,5 @@ ++/* ++ * The first byte of the regexp internal "program" is actually this magic ++ * number; the start node begins in the second byte. ++ */ ++#define MAGIC 0234 +Index: linux-2.6.21.7/net/netfilter/regexp/regsub.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/regexp/regsub.c +@@ -0,0 +1,95 @@ ++/* ++ * regsub ++ * @(#)regsub.c 1.3 of 2 April 86 ++ * ++ * Copyright (c) 1986 by University of Toronto. ++ * Written by Henry Spencer. Not derived from licensed software. ++ * ++ * Permission is granted to anyone to use this software for any ++ * purpose on any computer system, and to redistribute it freely, ++ * subject to the following restrictions: ++ * ++ * 1. The author is not responsible for the consequences of use of ++ * this software, no matter how awful, even if they arise ++ * from defects in it. ++ * ++ * 2. The origin of this software must not be misrepresented, either ++ * by explicit claim or by omission. ++ * ++ * 3. Altered versions must be plainly marked as such, and must not ++ * be misrepresented as being the original software. ++ * ++ * ++ * This code was modified by Ethan Sommer to work within the kernel ++ * (it now uses kmalloc etc..) ++ * ++ */ ++#include "regexp.h" ++#include "regmagic.h" ++#include ++ ++ ++#ifndef CHARBITS ++#define UCHARAT(p) ((int)*(unsigned char *)(p)) ++#else ++#define UCHARAT(p) ((int)*(p)&CHARBITS) ++#endif ++ ++#if 0 ++//void regerror(char * s) ++//{ ++// printk("regexp(3): %s", s); ++// /* NOTREACHED */ ++//} ++#endif ++ ++/* ++ - regsub - perform substitutions after a regexp match ++ */ ++void ++regsub(regexp * prog, char * source, char * dest) ++{ ++ register char *src; ++ register char *dst; ++ register char c; ++ register int no; ++ register int len; ++ ++ /* Not necessary and gcc doesn't like it -MLS */ ++ /*extern char *strncpy();*/ ++ ++ if (prog == NULL || source == NULL || dest == NULL) { ++ regerror("NULL parm to regsub"); ++ return; ++ } ++ if (UCHARAT(prog->program) != MAGIC) { ++ regerror("damaged regexp fed to regsub"); ++ return; ++ } ++ ++ src = source; ++ dst = dest; ++ while ((c = *src++) != '\0') { ++ if (c == '&') ++ no = 0; ++ else if (c == '\\' && '0' <= *src && *src <= '9') ++ no = *src++ - '0'; ++ else ++ no = -1; ++ ++ if (no < 0) { /* Ordinary character. */ ++ if (c == '\\' && (*src == '\\' || *src == '&')) ++ c = *src++; ++ *dst++ = c; ++ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) { ++ len = prog->endp[no] - prog->startp[no]; ++ (void) strncpy(dst, prog->startp[no], len); ++ dst += len; ++ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */ ++ regerror("damaged match string"); ++ return; ++ } ++ } ++ } ++ *dst++ = '\0'; ++} +Index: linux-2.6.21.7/net/netfilter/nf_conntrack_core.c +=================================================================== +--- linux-2.6.21.7.orig/net/netfilter/nf_conntrack_core.c ++++ linux-2.6.21.7/net/netfilter/nf_conntrack_core.c +@@ -352,6 +352,14 @@ destroy_conntrack(struct nf_conntrack *n + * too. */ + nf_ct_remove_expectations(ct); + ++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE) ++ if(ct->layer7.app_proto) ++ kfree(ct->layer7.app_proto); ++ if(ct->layer7.app_data) ++ kfree(ct->layer7.app_data); ++ #endif ++ ++ + /* We overload first tuple to link into unconfirmed list. */ + if (!nf_ct_is_confirmed(ct)) { + BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list)); +Index: linux-2.6.21.7/net/netfilter/nf_conntrack_standalone.c +=================================================================== +--- linux-2.6.21.7.orig/net/netfilter/nf_conntrack_standalone.c ++++ linux-2.6.21.7/net/netfilter/nf_conntrack_standalone.c +@@ -195,7 +195,12 @@ static int ct_seq_show(struct seq_file * + return -ENOSPC; + #endif + +- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) ++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE) ++ if(conntrack->layer7.app_proto) ++ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto)) ++ return -ENOSPC; ++#endif ++ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use))) + return -ENOSPC; + + return 0; +Index: linux-2.6.21.7/include/net/netfilter/nf_conntrack.h +=================================================================== +--- linux-2.6.21.7.orig/include/net/netfilter/nf_conntrack.h ++++ linux-2.6.21.7/include/net/netfilter/nf_conntrack.h +@@ -128,6 +128,22 @@ struct nf_conn + u_int32_t secmark; + #endif + ++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \ ++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE) ++ struct { ++ /* ++ * e.g. "http". NULL before decision. "unknown" after decision ++ * if no match. ++ */ ++ char *app_proto; ++ /* ++ * application layer data so far. NULL after match decision. ++ */ ++ char *app_data; ++ unsigned int app_data_len; ++ } layer7; ++#endif ++ + /* Storage reserved for other modules: */ + union nf_conntrack_proto proto; + +Index: linux-2.6.21.7/include/linux/netfilter/xt_layer7.h +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/include/linux/netfilter/xt_layer7.h +@@ -0,0 +1,13 @@ ++#ifndef _XT_LAYER7_H ++#define _XT_LAYER7_H ++ ++#define MAX_PATTERN_LEN 8192 ++#define MAX_PROTOCOL_LEN 256 ++ ++struct xt_layer7_info { ++ char protocol[MAX_PROTOCOL_LEN]; ++ char pattern[MAX_PATTERN_LEN]; ++ u_int8_t invert; ++}; ++ ++#endif /* _XT_LAYER7_H */ diff --git a/target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch b/target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch deleted file mode 100644 index 437f883e8a..0000000000 --- a/target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch +++ /dev/null @@ -1,2080 +0,0 @@ -Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200 -@@ -0,0 +1,26 @@ -+/* -+ By Matthew Strait , Dec 2003. -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+*/ -+ -+#ifndef _IPT_LAYER7_H -+#define _IPT_LAYER7_H -+ -+#define MAX_PATTERN_LEN 8192 -+#define MAX_PROTOCOL_LEN 256 -+ -+typedef char *(*proc_ipt_search) (char *, char, char *); -+ -+struct ipt_layer7_info { -+ char protocol[MAX_PROTOCOL_LEN]; -+ char invert:1; -+ char pattern[MAX_PATTERN_LEN]; -+}; -+ -+#endif /* _IPT_LAYER7_H */ -Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c -=================================================================== ---- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:53.432285750 +0200 -+++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:55.496414750 +0200 -@@ -332,6 +332,13 @@ - * too. */ - ip_ct_remove_expectations(ct); - -+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ if(ct->layer7.app_proto) -+ kfree(ct->layer7.app_proto); -+ if(ct->layer7.app_data) -+ kfree(ct->layer7.app_data); -+ #endif -+ - /* We overload first tuple to link into unconfirmed list. */ - if (!is_confirmed(ct)) { - BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list)); -Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c -=================================================================== ---- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:53.440286250 +0200 -+++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:55.544417750 +0200 -@@ -188,6 +188,12 @@ - return -ENOSPC; - #endif - -+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ if(conntrack->layer7.app_proto) -+ if (seq_printf(s, "l7proto=%s ",conntrack->layer7.app_proto)) -+ return 1; -+#endif -+ - if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) - return -ENOSPC; - -Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200 -@@ -0,0 +1,583 @@ -+/* -+ Kernel module to match application layer (OSI layer 7) data in connections. -+ -+ http://l7-filter.sf.net -+ -+ By Matthew Strait and Ethan Sommer, 2003-2006. -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+ -+ Based on ipt_string.c (C) 2000 Emmanuel Roger -+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski -+ -+ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack -+*/ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "regexp/regexp.c" -+ -+#include -+#include -+ -+MODULE_AUTHOR("Matthew Strait , Ethan Sommer "); -+MODULE_LICENSE("GPL"); -+MODULE_DESCRIPTION("iptables application layer match module"); -+MODULE_VERSION("2.0"); -+ -+static int maxdatalen = 2048; // this is the default -+module_param(maxdatalen, int, 0444); -+MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter"); -+ -+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+ #define DPRINTK(format,args...) printk(format,##args) -+#else -+ #define DPRINTK(format,args...) -+#endif -+ -+#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \ -+ master_conntrack->counters[IP_CT_DIR_REPLY].packets -+ -+/* Number of packets whose data we look at. -+This can be modified through /proc/net/layer7_numpackets */ -+static int num_packets = 10; -+ -+static struct pattern_cache { -+ char * regex_string; -+ regexp * pattern; -+ struct pattern_cache * next; -+} * first_pattern_cache = NULL; -+ -+/* I'm new to locking. Here are my assumptions: -+ -+- No one will write to /proc/net/layer7_numpackets over and over very fast; -+ if they did, nothing awful would happen. -+ -+- This code will never be processing the same packet twice at the same time, -+ because iptables rules are traversed in order. -+ -+- It doesn't matter if two packets from different connections are in here at -+ the same time, because they don't share any data. -+ -+- It _does_ matter if two packets from the same connection (or one from a -+ master and one from its child) are here at the same time. In this case, -+ we have to protect the conntracks and the list of compiled patterns. -+*/ -+DEFINE_RWLOCK(ct_lock); -+DEFINE_SPINLOCK(list_lock); -+ -+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+/* Converts an unfriendly string into a friendly one by -+replacing unprintables with periods and all whitespace with " ". */ -+static char * friendly_print(unsigned char * s) -+{ -+ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC); -+ int i; -+ -+ if(!f) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n"); -+ return NULL; -+ } -+ -+ for(i = 0; i < strlen(s); i++){ -+ if(isprint(s[i]) && s[i] < 128) f[i] = s[i]; -+ else if(isspace(s[i])) f[i] = ' '; -+ else f[i] = '.'; -+ } -+ f[i] = '\0'; -+ return f; -+} -+ -+static char dec2hex(int i) -+{ -+ switch (i) { -+ case 0 ... 9: -+ return (char)(i + '0'); -+ break; -+ case 10 ... 15: -+ return (char)(i - 10 + 'a'); -+ break; -+ default: -+ if (net_ratelimit()) -+ printk("Problem in dec2hex\n"); -+ return '\0'; -+ } -+} -+ -+static char * hex_print(unsigned char * s) -+{ -+ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC); -+ int i; -+ -+ if(!g) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n"); -+ return NULL; -+ } -+ -+ for(i = 0; i < strlen(s); i++) { -+ g[i*3 ] = dec2hex(s[i]/16); -+ g[i*3 + 1] = dec2hex(s[i]%16); -+ g[i*3 + 2] = ' '; -+ } -+ g[i*3] = '\0'; -+ -+ return g; -+} -+#endif // DEBUG -+ -+/* Use instead of regcomp. As we expect to be seeing the same regexps over and -+over again, it make sense to cache the results. */ -+static regexp * compile_and_cache(char * regex_string, char * protocol) -+{ -+ struct pattern_cache * node = first_pattern_cache; -+ struct pattern_cache * last_pattern_cache = first_pattern_cache; -+ struct pattern_cache * tmp; -+ unsigned int len; -+ -+ while (node != NULL) { -+ if (!strcmp(node->regex_string, regex_string)) -+ return node->pattern; -+ -+ last_pattern_cache = node;/* points at the last non-NULL node */ -+ node = node->next; -+ } -+ -+ /* If we reach the end of the list, then we have not yet cached -+ the pattern for this regex. Let's do that now. -+ Be paranoid about running out of memory to avoid list corruption. */ -+ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC); -+ -+ if(!tmp) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); -+ return NULL; -+ } -+ -+ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC); -+ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC); -+ tmp->next = NULL; -+ -+ if(!tmp->regex_string || !tmp->pattern) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); -+ kfree(tmp->regex_string); -+ kfree(tmp->pattern); -+ kfree(tmp); -+ return NULL; -+ } -+ -+ /* Ok. The new node is all ready now. */ -+ node = tmp; -+ -+ if(first_pattern_cache == NULL) /* list is empty */ -+ first_pattern_cache = node; /* make node the beginning */ -+ else -+ last_pattern_cache->next = node; /* attach node to the end */ -+ -+ /* copy the string and compile the regex */ -+ len = strlen(regex_string); -+ DPRINTK("About to compile this: \"%s\"\n", regex_string); -+ node->pattern = regcomp(regex_string, &len); -+ if ( !node->pattern ) { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol); -+ /* pattern is now cached as NULL, so we won't try again. */ -+ } -+ -+ strcpy(node->regex_string, regex_string); -+ return node->pattern; -+} -+ -+static int can_handle(const struct sk_buff *skb) -+{ -+ if(!skb->nh.iph) /* not IP */ -+ return 0; -+ if(skb->nh.iph->protocol != IPPROTO_TCP && -+ skb->nh.iph->protocol != IPPROTO_UDP && -+ skb->nh.iph->protocol != IPPROTO_ICMP) -+ return 0; -+ return 1; -+} -+ -+/* Returns offset the into the skb->data that the application data starts */ -+static int app_data_offset(const struct sk_buff *skb) -+{ -+ /* In case we are ported somewhere (ebtables?) where skb->nh.iph -+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */ -+ int ip_hl = 4*skb->nh.iph->ihl; -+ -+ if( skb->nh.iph->protocol == IPPROTO_TCP ) { -+ /* 12 == offset into TCP header for the header length field. -+ Can't get this with skb->h.th->doff because the tcphdr -+ struct doesn't get set when routing (this is confirmed to be -+ true in Netfilter as well as QoS.) */ -+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4); -+ -+ return ip_hl + tcp_hl; -+ } else if( skb->nh.iph->protocol == IPPROTO_UDP ) { -+ return ip_hl + 8; /* UDP header is always 8 bytes */ -+ } else if( skb->nh.iph->protocol == IPPROTO_ICMP ) { -+ return ip_hl + 8; /* ICMP header is 8 bytes */ -+ } else { -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n"); -+ return ip_hl + 8; /* something reasonable */ -+ } -+} -+ -+/* handles whether there's a match when we aren't appending data anymore */ -+static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack, -+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo, -+ struct ipt_layer7_info * info) -+{ -+ /* If we're in here, throw the app data away */ -+ write_lock(&ct_lock); -+ if(master_conntrack->layer7.app_data != NULL) { -+ -+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG -+ if(!master_conntrack->layer7.app_proto) { -+ char * f = friendly_print(master_conntrack->layer7.app_data); -+ char * g = hex_print(master_conntrack->layer7.app_data); -+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n", -+ strlen(f), TOTAL_PACKETS, f); -+ kfree(f); -+ DPRINTK("In hex: %s\n", g); -+ kfree(g); -+ } -+ #endif -+ -+ kfree(master_conntrack->layer7.app_data); -+ master_conntrack->layer7.app_data = NULL; /* don't free again */ -+ } -+ write_unlock(&ct_lock); -+ -+ if(master_conntrack->layer7.app_proto){ -+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */ -+ write_lock(&ct_lock); -+ if(!conntrack->layer7.app_proto) { -+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC); -+ if(!conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); -+ write_unlock(&ct_lock); -+ return 1; -+ } -+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto); -+ } -+ write_unlock(&ct_lock); -+ -+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol)); -+ } -+ else { -+ /* If not classified, set to "unknown" to distinguish from -+ connections that are still being tested. */ -+ write_lock(&ct_lock); -+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); -+ write_unlock(&ct_lock); -+ return 1; -+ } -+ strcpy(master_conntrack->layer7.app_proto, "unknown"); -+ write_unlock(&ct_lock); -+ return 0; -+ } -+} -+ -+/* add the new app data to the conntrack. Return number of bytes added. */ -+static int add_data(struct ip_conntrack * master_conntrack, -+ char * app_data, int appdatalen) -+{ -+ int length = 0, i; -+ int oldlength = master_conntrack->layer7.app_data_len; -+ -+ // This is a fix for a race condition by Deti Fliegl. However, I'm not -+ // clear on whether the race condition exists or whether this really -+ // fixes it. I might just be being dense... Anyway, if it's not really -+ // a fix, all it does is waste a very small amount of time. -+ if(!master_conntrack->layer7.app_data) return 0; -+ -+ /* Strip nulls. Make everything lower case (our regex lib doesn't -+ do case insensitivity). Add it to the end of the current data. */ -+ for(i = 0; i < maxdatalen-oldlength-1 && -+ i < appdatalen; i++) { -+ if(app_data[i] != '\0') { -+ master_conntrack->layer7.app_data[length+oldlength] = -+ /* the kernel version of tolower mungs 'upper ascii' */ -+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; -+ length++; -+ } -+ } -+ -+ master_conntrack->layer7.app_data[length+oldlength] = '\0'; -+ master_conntrack->layer7.app_data_len = length + oldlength; -+ -+ return length; -+} -+ -+/* Returns true on match and false otherwise. */ -+static int match(const struct sk_buff *skbin, -+ const struct net_device *in, const struct net_device *out, -+ const struct xt_match *match, const void *matchinfo, -+ int offset, unsigned int protoff, int *hotdrop) -+{ -+ /* sidestep const without getting a compiler warning... */ -+ struct sk_buff * skb = (struct sk_buff *)skbin; -+ -+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; -+ enum ip_conntrack_info master_ctinfo, ctinfo; -+ struct nf_conn *master_conntrack; -+ struct ip_conntrack *conntrack; -+ unsigned char * app_data; -+ unsigned int pattern_result, appdatalen; -+ regexp * comppattern; -+ -+ if(!can_handle(skb)){ -+ DPRINTK("layer7: This is some protocol I can't handle.\n"); -+ return info->invert; -+ } -+ -+ /* Treat parent & all its children together as one connection, except -+ for the purpose of setting conntrack->layer7.app_proto in the actual -+ connection. This makes /proc/net/ip_conntrack more satisfying. */ -+ if(((conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) == NULL) || -+ ((master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) { -+ return info->invert; -+ } -+ -+ /* Try to get a master conntrack (and its master etc) for FTP, etc. */ -+ while (master_ct(master_conntrack) != NULL) -+ master_conntrack = master_ct(master_conntrack); -+ -+ /* if we've classified it or seen too many packets */ -+ if(TOTAL_PACKETS > num_packets || -+ master_conntrack->layer7.app_proto) { -+ -+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); -+ -+ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7 -+ rules. I'm not sure that using cb for this purpose is correct, even though -+ it says "put your private variables there". But it doesn't look like it -+ is being used for anything else in the skbs that make it here. */ -+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */ -+ -+ return (pattern_result ^ info->invert); -+ } -+ -+ if(skb_is_nonlinear(skb)){ -+ if(skb_linearize(skb) != 0){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n"); -+ return info->invert; -+ } -+ } -+ -+ /* now that the skb is linearized, it's safe to set these. */ -+ app_data = skb->data + app_data_offset(skb); -+ appdatalen = skb->tail - app_data; -+ -+ spin_lock_bh(&list_lock); -+ /* the return value gets checked later, when we're ready to use it */ -+ comppattern = compile_and_cache(info->pattern, info->protocol); -+ spin_unlock_bh(&list_lock); -+ -+ /* On the first packet of a connection, allocate space for app data */ -+ write_lock(&ct_lock); -+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { -+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_data){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); -+ write_unlock(&ct_lock); -+ return info->invert; -+ } -+ -+ master_conntrack->layer7.app_data[0] = '\0'; -+ } -+ write_unlock(&ct_lock); -+ -+ /* Can be here, but unallocated, if numpackets is increased near -+ the beginning of a connection */ -+ if(master_conntrack->layer7.app_data == NULL) -+ return (info->invert); /* unmatched */ -+ -+ if(!skb->cb[0]){ -+ int newbytes; -+ write_lock(&ct_lock); -+ newbytes = add_data(master_conntrack, app_data, appdatalen); -+ write_unlock(&ct_lock); -+ -+ if(newbytes == 0) { /* didn't add any data */ -+ skb->cb[0] = 1; -+ /* Didn't match before, not going to match now */ -+ return info->invert; -+ } -+ } -+ -+ /* If looking for "unknown", then never match. "Unknown" means that -+ we've given up; we're still trying with these packets. */ -+ read_lock(&ct_lock); -+ if(!strcmp(info->protocol, "unknown")) { -+ pattern_result = 0; -+ /* If looking for "unset", then always match. "Unset" means that we -+ haven't yet classified the connection. */ -+ } else if(!strcmp(info->protocol, "unset")) { -+ pattern_result = 2; -+ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets); -+ /* If the regexp failed to compile, don't bother running it */ -+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) { -+ DPRINTK("layer7: matched %s\n", info->protocol); -+ pattern_result = 1; -+ } else pattern_result = 0; -+ read_unlock(&ct_lock); -+ -+ if(pattern_result == 1) { -+ write_lock(&ct_lock); -+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC); -+ if(!master_conntrack->layer7.app_proto){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); -+ write_unlock(&ct_lock); -+ return (pattern_result ^ info->invert); -+ } -+ strcpy(master_conntrack->layer7.app_proto, info->protocol); -+ write_unlock(&ct_lock); -+ } else if(pattern_result > 1) { /* cleanup from "unset" */ -+ pattern_result = 1; -+ } -+ -+ /* mark the packet seen */ -+ skb->cb[0] = 1; -+ -+ return (pattern_result ^ info->invert); -+} -+ -+static struct xt_match layer7_match = { -+ .name = "layer7", -+ .match = &match, -+ .matchsize = sizeof(struct ipt_layer7_info), -+ .family = AF_INET, -+ .me = THIS_MODULE -+}; -+ -+/* taken from drivers/video/modedb.c */ -+static int my_atoi(const char *s) -+{ -+ int val = 0; -+ -+ for (;; s++) { -+ switch (*s) { -+ case '0'...'9': -+ val = 10*val+(*s-'0'); -+ break; -+ default: -+ return val; -+ } -+ } -+} -+ -+/* write out num_packets to userland. */ -+static int layer7_read_proc(char* page, char ** start, off_t off, int count, -+ int* eof, void * data) -+{ -+ if(num_packets > 99 && net_ratelimit()) -+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n"); -+ -+ page[0] = num_packets/10 + '0'; -+ page[1] = num_packets%10 + '0'; -+ page[2] = '\n'; -+ page[3] = '\0'; -+ -+ *eof=1; -+ -+ return 3; -+} -+ -+/* Read in num_packets from userland */ -+static int layer7_write_proc(struct file* file, const char* buffer, -+ unsigned long count, void *data) -+{ -+ char * foo = kmalloc(count, GFP_ATOMIC); -+ -+ if(!foo){ -+ if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n"); -+ return count; -+ } -+ -+ if(copy_from_user(foo, buffer, count)) { -+ return -EFAULT; -+ } -+ -+ -+ num_packets = my_atoi(foo); -+ kfree (foo); -+ -+ /* This has an arbitrary limit to make the math easier. I'm lazy. -+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */ -+ if(num_packets > 99) { -+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n"); -+ num_packets = 99; -+ } else if(num_packets < 1) { -+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n"); -+ num_packets = 1; -+ } -+ -+ return count; -+} -+ -+/* register the proc file */ -+static void layer7_init_proc(void) -+{ -+ struct proc_dir_entry* entry; -+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net); -+ entry->read_proc = layer7_read_proc; -+ entry->write_proc = layer7_write_proc; -+} -+ -+static void layer7_cleanup_proc(void) -+{ -+ remove_proc_entry("layer7_numpackets", proc_net); -+} -+ -+static int __init ipt_layer7_init(void) -+{ -+ need_conntrack(); -+ -+ layer7_init_proc(); -+ if(maxdatalen < 1) { -+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n"); -+ maxdatalen = 1; -+ } -+ /* This is not a hard limit. It's just here to prevent people from -+ bringing their slow machines to a grinding halt. */ -+ else if(maxdatalen > 65536) { -+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n"); -+ maxdatalen = 65536; -+ } -+ return xt_register_match(&layer7_match); -+} -+ -+static void __exit ipt_layer7_fini(void) -+{ -+ layer7_cleanup_proc(); -+ xt_unregister_match(&layer7_match); -+} -+ -+module_init(ipt_layer7_init); -+module_exit(ipt_layer7_fini); -Index: linux-2.6.21.5/net/ipv4/netfilter/Kconfig -=================================================================== ---- linux-2.6.21.5.orig/net/ipv4/netfilter/Kconfig 2007-07-02 00:37:53.456287250 +0200 -+++ linux-2.6.21.5/net/ipv4/netfilter/Kconfig 2007-07-02 01:21:17.231013000 +0200 -@@ -245,6 +245,24 @@ - - To compile it as a module, choose M here. If unsure, say N. - -+config IP_NF_MATCH_LAYER7 -+ tristate "Layer 7 match support (EXPERIMENTAL)" -+ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL -+ help -+ Say Y if you want to be able to classify connections (and their -+ packets) based on regular expression matching of their application -+ layer data. This is one way to classify applications such as -+ peer-to-peer filesharing systems that do not always use the same -+ port. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ -+config IP_NF_MATCH_LAYER7_DEBUG -+ bool "Layer 7 debugging output" -+ depends on IP_NF_MATCH_LAYER7 -+ help -+ Say Y to get lots of debugging output. -+ - config IP_NF_MATCH_TOS - tristate "TOS match support" - depends on IP_NF_IPTABLES -Index: linux-2.6.21.5/net/ipv4/netfilter/Makefile -=================================================================== ---- linux-2.6.21.5.orig/net/ipv4/netfilter/Makefile 2007-07-02 00:37:53.464287750 +0200 -+++ linux-2.6.21.5/net/ipv4/netfilter/Makefile 2007-07-02 00:43:58.191081750 +0200 -@@ -92,6 +92,8 @@ - obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o - obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o - -+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o -+ - # targets - obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o - obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o -Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 00:37:55.648424250 +0200 -@@ -0,0 +1,1197 @@ -+/* -+ * regcomp and regexec -- regsub and regerror are elsewhere -+ * @(#)regexp.c 1.3 of 18 April 87 -+ * -+ * Copyright (c) 1986 by University of Toronto. -+ * Written by Henry Spencer. Not derived from licensed software. -+ * -+ * Permission is granted to anyone to use this software for any -+ * purpose on any computer system, and to redistribute it freely, -+ * subject to the following restrictions: -+ * -+ * 1. The author is not responsible for the consequences of use of -+ * this software, no matter how awful, even if they arise -+ * from defects in it. -+ * -+ * 2. The origin of this software must not be misrepresented, either -+ * by explicit claim or by omission. -+ * -+ * 3. Altered versions must be plainly marked as such, and must not -+ * be misrepresented as being the original software. -+ * -+ * Beware that some of this code is subtly aware of the way operator -+ * precedence is structured in regular expressions. Serious changes in -+ * regular-expression syntax might require a total rethink. -+ * -+ * This code was modified by Ethan Sommer to work within the kernel -+ * (it now uses kmalloc etc..) -+ * -+ * Modified slightly by Matthew Strait to use more modern C. -+ */ -+ -+#include "regexp.h" -+#include "regmagic.h" -+ -+/* added by ethan and matt. Lets it work in both kernel and user space. -+(So iptables can use it, for instance.) Yea, it goes both ways... */ -+#if __KERNEL__ -+ #define malloc(foo) kmalloc(foo,GFP_ATOMIC) -+#else -+ #define printk(format,args...) printf(format,##args) -+#endif -+ -+void regerror(char * s) -+{ -+ printk("<3>Regexp: %s\n", s); -+ /* NOTREACHED */ -+} -+ -+/* -+ * The "internal use only" fields in regexp.h are present to pass info from -+ * compile to execute that permits the execute phase to run lots faster on -+ * simple cases. They are: -+ * -+ * regstart char that must begin a match; '\0' if none obvious -+ * reganch is the match anchored (at beginning-of-line only)? -+ * regmust string (pointer into program) that match must include, or NULL -+ * regmlen length of regmust string -+ * -+ * Regstart and reganch permit very fast decisions on suitable starting points -+ * for a match, cutting down the work a lot. Regmust permits fast rejection -+ * of lines that cannot possibly match. The regmust tests are costly enough -+ * that regcomp() supplies a regmust only if the r.e. contains something -+ * potentially expensive (at present, the only such thing detected is * or + -+ * at the start of the r.e., which can involve a lot of backup). Regmlen is -+ * supplied because the test in regexec() needs it and regcomp() is computing -+ * it anyway. -+ */ -+ -+/* -+ * Structure for regexp "program". This is essentially a linear encoding -+ * of a nondeterministic finite-state machine (aka syntax charts or -+ * "railroad normal form" in parsing technology). Each node is an opcode -+ * plus a "next" pointer, possibly plus an operand. "Next" pointers of -+ * all nodes except BRANCH implement concatenation; a "next" pointer with -+ * a BRANCH on both ends of it is connecting two alternatives. (Here we -+ * have one of the subtle syntax dependencies: an individual BRANCH (as -+ * opposed to a collection of them) is never concatenated with anything -+ * because of operator precedence.) The operand of some types of node is -+ * a literal string; for others, it is a node leading into a sub-FSM. In -+ * particular, the operand of a BRANCH node is the first node of the branch. -+ * (NB this is *not* a tree structure: the tail of the branch connects -+ * to the thing following the set of BRANCHes.) The opcodes are: -+ */ -+ -+/* definition number opnd? meaning */ -+#define END 0 /* no End of program. */ -+#define BOL 1 /* no Match "" at beginning of line. */ -+#define EOL 2 /* no Match "" at end of line. */ -+#define ANY 3 /* no Match any one character. */ -+#define ANYOF 4 /* str Match any character in this string. */ -+#define ANYBUT 5 /* str Match any character not in this string. */ -+#define BRANCH 6 /* node Match this alternative, or the next... */ -+#define BACK 7 /* no Match "", "next" ptr points backward. */ -+#define EXACTLY 8 /* str Match this string. */ -+#define NOTHING 9 /* no Match empty string. */ -+#define STAR 10 /* node Match this (simple) thing 0 or more times. */ -+#define PLUS 11 /* node Match this (simple) thing 1 or more times. */ -+#define OPEN 20 /* no Mark this point in input as start of #n. */ -+ /* OPEN+1 is number 1, etc. */ -+#define CLOSE 30 /* no Analogous to OPEN. */ -+ -+/* -+ * Opcode notes: -+ * -+ * BRANCH The set of branches constituting a single choice are hooked -+ * together with their "next" pointers, since precedence prevents -+ * anything being concatenated to any individual branch. The -+ * "next" pointer of the last BRANCH in a choice points to the -+ * thing following the whole choice. This is also where the -+ * final "next" pointer of each individual branch points; each -+ * branch starts with the operand node of a BRANCH node. -+ * -+ * BACK Normal "next" pointers all implicitly point forward; BACK -+ * exists to make loop structures possible. -+ * -+ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular -+ * BRANCH structures using BACK. Simple cases (one character -+ * per match) are implemented with STAR and PLUS for speed -+ * and to minimize recursive plunges. -+ * -+ * OPEN,CLOSE ...are numbered at compile time. -+ */ -+ -+/* -+ * A node is one char of opcode followed by two chars of "next" pointer. -+ * "Next" pointers are stored as two 8-bit pieces, high order first. The -+ * value is a positive offset from the opcode of the node containing it. -+ * An operand, if any, simply follows the node. (Note that much of the -+ * code generation knows about this implicit relationship.) -+ * -+ * Using two bytes for the "next" pointer is vast overkill for most things, -+ * but allows patterns to get big without disasters. -+ */ -+#define OP(p) (*(p)) -+#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377)) -+#define OPERAND(p) ((p) + 3) -+ -+/* -+ * See regmagic.h for one further detail of program structure. -+ */ -+ -+ -+/* -+ * Utility definitions. -+ */ -+#ifndef CHARBITS -+#define UCHARAT(p) ((int)*(unsigned char *)(p)) -+#else -+#define UCHARAT(p) ((int)*(p)&CHARBITS) -+#endif -+ -+#define FAIL(m) { regerror(m); return(NULL); } -+#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?') -+#define META "^$.[()|?+*\\" -+ -+/* -+ * Flags to be passed up and down. -+ */ -+#define HASWIDTH 01 /* Known never to match null string. */ -+#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */ -+#define SPSTART 04 /* Starts with * or +. */ -+#define WORST 0 /* Worst case. */ -+ -+/* -+ * Global work variables for regcomp(). -+ */ -+struct match_globals { -+char *reginput; /* String-input pointer. */ -+char *regbol; /* Beginning of input, for ^ check. */ -+char **regstartp; /* Pointer to startp array. */ -+char **regendp; /* Ditto for endp. */ -+char *regparse; /* Input-scan pointer. */ -+int regnpar; /* () count. */ -+char regdummy; -+char *regcode; /* Code-emit pointer; ®dummy = don't. */ -+long regsize; /* Code size. */ -+}; -+ -+/* -+ * Forward declarations for regcomp()'s friends. -+ */ -+#ifndef STATIC -+#define STATIC static -+#endif -+STATIC char *reg(struct match_globals *g, int paren,int *flagp); -+STATIC char *regbranch(struct match_globals *g, int *flagp); -+STATIC char *regpiece(struct match_globals *g, int *flagp); -+STATIC char *regatom(struct match_globals *g, int *flagp); -+STATIC char *regnode(struct match_globals *g, char op); -+STATIC char *regnext(struct match_globals *g, char *p); -+STATIC void regc(struct match_globals *g, char b); -+STATIC void reginsert(struct match_globals *g, char op, char *opnd); -+STATIC void regtail(struct match_globals *g, char *p, char *val); -+STATIC void regoptail(struct match_globals *g, char *p, char *val); -+ -+ -+__kernel_size_t my_strcspn(const char *s1,const char *s2) -+{ -+ char *scan1; -+ char *scan2; -+ int count; -+ -+ count = 0; -+ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) { -+ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */ -+ if (*scan1 == *scan2++) -+ return(count); -+ count++; -+ } -+ return(count); -+} -+ -+/* -+ - regcomp - compile a regular expression into internal code -+ * -+ * We can't allocate space until we know how big the compiled form will be, -+ * but we can't compile it (and thus know how big it is) until we've got a -+ * place to put the code. So we cheat: we compile it twice, once with code -+ * generation turned off and size counting turned on, and once "for real". -+ * This also means that we don't allocate space until we are sure that the -+ * thing really will compile successfully, and we never have to move the -+ * code and thus invalidate pointers into it. (Note that it has to be in -+ * one piece because free() must be able to free it all.) -+ * -+ * Beware that the optimization-preparation code in here knows about some -+ * of the structure of the compiled regexp. -+ */ -+regexp * -+regcomp(char *exp,int *patternsize) -+{ -+ register regexp *r; -+ register char *scan; -+ register char *longest; -+ register int len; -+ int flags; -+ struct match_globals g; -+ -+ /* commented out by ethan -+ extern char *malloc(); -+ */ -+ -+ if (exp == NULL) -+ FAIL("NULL argument"); -+ -+ /* First pass: determine size, legality. */ -+ g.regparse = exp; -+ g.regnpar = 1; -+ g.regsize = 0L; -+ g.regcode = &g.regdummy; -+ regc(&g, MAGIC); -+ if (reg(&g, 0, &flags) == NULL) -+ return(NULL); -+ -+ /* Small enough for pointer-storage convention? */ -+ if (g.regsize >= 32767L) /* Probably could be 65535L. */ -+ FAIL("regexp too big"); -+ -+ /* Allocate space. */ -+ *patternsize=sizeof(regexp) + (unsigned)g.regsize; -+ r = (regexp *)malloc(sizeof(regexp) + (unsigned)g.regsize); -+ if (r == NULL) -+ FAIL("out of space"); -+ -+ /* Second pass: emit code. */ -+ g.regparse = exp; -+ g.regnpar = 1; -+ g.regcode = r->program; -+ regc(&g, MAGIC); -+ if (reg(&g, 0, &flags) == NULL) -+ return(NULL); -+ -+ /* Dig out information for optimizations. */ -+ r->regstart = '\0'; /* Worst-case defaults. */ -+ r->reganch = 0; -+ r->regmust = NULL; -+ r->regmlen = 0; -+ scan = r->program+1; /* First BRANCH. */ -+ if (OP(regnext(&g, scan)) == END) { /* Only one top-level choice. */ -+ scan = OPERAND(scan); -+ -+ /* Starting-point info. */ -+ if (OP(scan) == EXACTLY) -+ r->regstart = *OPERAND(scan); -+ else if (OP(scan) == BOL) -+ r->reganch++; -+ -+ /* -+ * If there's something expensive in the r.e., find the -+ * longest literal string that must appear and make it the -+ * regmust. Resolve ties in favor of later strings, since -+ * the regstart check works with the beginning of the r.e. -+ * and avoiding duplication strengthens checking. Not a -+ * strong reason, but sufficient in the absence of others. -+ */ -+ if (flags&SPSTART) { -+ longest = NULL; -+ len = 0; -+ for (; scan != NULL; scan = regnext(&g, scan)) -+ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) { -+ longest = OPERAND(scan); -+ len = strlen(OPERAND(scan)); -+ } -+ r->regmust = longest; -+ r->regmlen = len; -+ } -+ } -+ -+ return(r); -+} -+ -+/* -+ - reg - regular expression, i.e. main body or parenthesized thing -+ * -+ * Caller must absorb opening parenthesis. -+ * -+ * Combining parenthesis handling with the base level of regular expression -+ * is a trifle forced, but the need to tie the tails of the branches to what -+ * follows makes it hard to avoid. -+ */ -+static char * -+reg(struct match_globals *g, int paren, int *flagp /* Parenthesized? */ ) -+{ -+ register char *ret; -+ register char *br; -+ register char *ender; -+ register int parno = 0; /* 0 makes gcc happy */ -+ int flags; -+ -+ *flagp = HASWIDTH; /* Tentatively. */ -+ -+ /* Make an OPEN node, if parenthesized. */ -+ if (paren) { -+ if (g->regnpar >= NSUBEXP) -+ FAIL("too many ()"); -+ parno = g->regnpar; -+ g->regnpar++; -+ ret = regnode(g, OPEN+parno); -+ } else -+ ret = NULL; -+ -+ /* Pick up the branches, linking them together. */ -+ br = regbranch(g, &flags); -+ if (br == NULL) -+ return(NULL); -+ if (ret != NULL) -+ regtail(g, ret, br); /* OPEN -> first. */ -+ else -+ ret = br; -+ if (!(flags&HASWIDTH)) -+ *flagp &= ~HASWIDTH; -+ *flagp |= flags&SPSTART; -+ while (*g->regparse == '|') { -+ g->regparse++; -+ br = regbranch(g, &flags); -+ if (br == NULL) -+ return(NULL); -+ regtail(g, ret, br); /* BRANCH -> BRANCH. */ -+ if (!(flags&HASWIDTH)) -+ *flagp &= ~HASWIDTH; -+ *flagp |= flags&SPSTART; -+ } -+ -+ /* Make a closing node, and hook it on the end. */ -+ ender = regnode(g, (paren) ? CLOSE+parno : END); -+ regtail(g, ret, ender); -+ -+ /* Hook the tails of the branches to the closing node. */ -+ for (br = ret; br != NULL; br = regnext(g, br)) -+ regoptail(g, br, ender); -+ -+ /* Check for proper termination. */ -+ if (paren && *g->regparse++ != ')') { -+ FAIL("unmatched ()"); -+ } else if (!paren && *g->regparse != '\0') { -+ if (*g->regparse == ')') { -+ FAIL("unmatched ()"); -+ } else -+ FAIL("junk on end"); /* "Can't happen". */ -+ /* NOTREACHED */ -+ } -+ -+ return(ret); -+} -+ -+/* -+ - regbranch - one alternative of an | operator -+ * -+ * Implements the concatenation operator. -+ */ -+static char * -+regbranch(struct match_globals *g, int *flagp) -+{ -+ register char *ret; -+ register char *chain; -+ register char *latest; -+ int flags; -+ -+ *flagp = WORST; /* Tentatively. */ -+ -+ ret = regnode(g, BRANCH); -+ chain = NULL; -+ while (*g->regparse != '\0' && *g->regparse != '|' && *g->regparse != ')') { -+ latest = regpiece(g, &flags); -+ if (latest == NULL) -+ return(NULL); -+ *flagp |= flags&HASWIDTH; -+ if (chain == NULL) /* First piece. */ -+ *flagp |= flags&SPSTART; -+ else -+ regtail(g, chain, latest); -+ chain = latest; -+ } -+ if (chain == NULL) /* Loop ran zero times. */ -+ (void) regnode(g, NOTHING); -+ -+ return(ret); -+} -+ -+/* -+ - regpiece - something followed by possible [*+?] -+ * -+ * Note that the branching code sequences used for ? and the general cases -+ * of * and + are somewhat optimized: they use the same NOTHING node as -+ * both the endmarker for their branch list and the body of the last branch. -+ * It might seem that this node could be dispensed with entirely, but the -+ * endmarker role is not redundant. -+ */ -+static char * -+regpiece(struct match_globals *g, int *flagp) -+{ -+ register char *ret; -+ register char op; -+ register char *next; -+ int flags; -+ -+ ret = regatom(g, &flags); -+ if (ret == NULL) -+ return(NULL); -+ -+ op = *g->regparse; -+ if (!ISMULT(op)) { -+ *flagp = flags; -+ return(ret); -+ } -+ -+ if (!(flags&HASWIDTH) && op != '?') -+ FAIL("*+ operand could be empty"); -+ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH); -+ -+ if (op == '*' && (flags&SIMPLE)) -+ reginsert(g, STAR, ret); -+ else if (op == '*') { -+ /* Emit x* as (x&|), where & means "self". */ -+ reginsert(g, BRANCH, ret); /* Either x */ -+ regoptail(g, ret, regnode(g, BACK)); /* and loop */ -+ regoptail(g, ret, ret); /* back */ -+ regtail(g, ret, regnode(g, BRANCH)); /* or */ -+ regtail(g, ret, regnode(g, NOTHING)); /* null. */ -+ } else if (op == '+' && (flags&SIMPLE)) -+ reginsert(g, PLUS, ret); -+ else if (op == '+') { -+ /* Emit x+ as x(&|), where & means "self". */ -+ next = regnode(g, BRANCH); /* Either */ -+ regtail(g, ret, next); -+ regtail(g, regnode(g, BACK), ret); /* loop back */ -+ regtail(g, next, regnode(g, BRANCH)); /* or */ -+ regtail(g, ret, regnode(g, NOTHING)); /* null. */ -+ } else if (op == '?') { -+ /* Emit x? as (x|) */ -+ reginsert(g, BRANCH, ret); /* Either x */ -+ regtail(g, ret, regnode(g, BRANCH)); /* or */ -+ next = regnode(g, NOTHING); /* null. */ -+ regtail(g, ret, next); -+ regoptail(g, ret, next); -+ } -+ g->regparse++; -+ if (ISMULT(*g->regparse)) -+ FAIL("nested *?+"); -+ -+ return(ret); -+} -+ -+/* -+ - regatom - the lowest level -+ * -+ * Optimization: gobbles an entire sequence of ordinary characters so that -+ * it can turn them into a single node, which is smaller to store and -+ * faster to run. Backslashed characters are exceptions, each becoming a -+ * separate node; the code is simpler that way and it's not worth fixing. -+ */ -+static char * -+regatom(struct match_globals *g, int *flagp) -+{ -+ register char *ret; -+ int flags; -+ -+ *flagp = WORST; /* Tentatively. */ -+ -+ switch (*g->regparse++) { -+ case '^': -+ ret = regnode(g, BOL); -+ break; -+ case '$': -+ ret = regnode(g, EOL); -+ break; -+ case '.': -+ ret = regnode(g, ANY); -+ *flagp |= HASWIDTH|SIMPLE; -+ break; -+ case '[': { -+ register int class; -+ register int classend; -+ -+ if (*g->regparse == '^') { /* Complement of range. */ -+ ret = regnode(g, ANYBUT); -+ g->regparse++; -+ } else -+ ret = regnode(g, ANYOF); -+ if (*g->regparse == ']' || *g->regparse == '-') -+ regc(g, *g->regparse++); -+ while (*g->regparse != '\0' && *g->regparse != ']') { -+ if (*g->regparse == '-') { -+ g->regparse++; -+ if (*g->regparse == ']' || *g->regparse == '\0') -+ regc(g, '-'); -+ else { -+ class = UCHARAT(g->regparse-2)+1; -+ classend = UCHARAT(g->regparse); -+ if (class > classend+1) -+ FAIL("invalid [] range"); -+ for (; class <= classend; class++) -+ regc(g, class); -+ g->regparse++; -+ } -+ } else -+ regc(g, *g->regparse++); -+ } -+ regc(g, '\0'); -+ if (*g->regparse != ']') -+ FAIL("unmatched []"); -+ g->regparse++; -+ *flagp |= HASWIDTH|SIMPLE; -+ } -+ break; -+ case '(': -+ ret = reg(g, 1, &flags); -+ if (ret == NULL) -+ return(NULL); -+ *flagp |= flags&(HASWIDTH|SPSTART); -+ break; -+ case '\0': -+ case '|': -+ case ')': -+ FAIL("internal urp"); /* Supposed to be caught earlier. */ -+ break; -+ case '?': -+ case '+': -+ case '*': -+ FAIL("?+* follows nothing"); -+ break; -+ case '\\': -+ if (*g->regparse == '\0') -+ FAIL("trailing \\"); -+ ret = regnode(g, EXACTLY); -+ regc(g, *g->regparse++); -+ regc(g, '\0'); -+ *flagp |= HASWIDTH|SIMPLE; -+ break; -+ default: { -+ register int len; -+ register char ender; -+ -+ g->regparse--; -+ len = my_strcspn((const char *)g->regparse, (const char *)META); -+ if (len <= 0) -+ FAIL("internal disaster"); -+ ender = *(g->regparse+len); -+ if (len > 1 && ISMULT(ender)) -+ len--; /* Back off clear of ?+* operand. */ -+ *flagp |= HASWIDTH; -+ if (len == 1) -+ *flagp |= SIMPLE; -+ ret = regnode(g, EXACTLY); -+ while (len > 0) { -+ regc(g, *g->regparse++); -+ len--; -+ } -+ regc(g, '\0'); -+ } -+ break; -+ } -+ -+ return(ret); -+} -+ -+/* -+ - regnode - emit a node -+ */ -+static char * /* Location. */ -+regnode(struct match_globals *g, char op) -+{ -+ register char *ret; -+ register char *ptr; -+ -+ ret = g->regcode; -+ if (ret == &g->regdummy) { -+ g->regsize += 3; -+ return(ret); -+ } -+ -+ ptr = ret; -+ *ptr++ = op; -+ *ptr++ = '\0'; /* Null "next" pointer. */ -+ *ptr++ = '\0'; -+ g->regcode = ptr; -+ -+ return(ret); -+} -+ -+/* -+ - regc - emit (if appropriate) a byte of code -+ */ -+static void -+regc(struct match_globals *g, char b) -+{ -+ if (g->regcode != &g->regdummy) -+ *g->regcode++ = b; -+ else -+ g->regsize++; -+} -+ -+/* -+ - reginsert - insert an operator in front of already-emitted operand -+ * -+ * Means relocating the operand. -+ */ -+static void -+reginsert(struct match_globals *g, char op, char* opnd) -+{ -+ register char *src; -+ register char *dst; -+ register char *place; -+ -+ if (g->regcode == &g->regdummy) { -+ g->regsize += 3; -+ return; -+ } -+ -+ src = g->regcode; -+ g->regcode += 3; -+ dst = g->regcode; -+ while (src > opnd) -+ *--dst = *--src; -+ -+ place = opnd; /* Op node, where operand used to be. */ -+ *place++ = op; -+ *place++ = '\0'; -+ *place++ = '\0'; -+} -+ -+/* -+ - regtail - set the next-pointer at the end of a node chain -+ */ -+static void -+regtail(struct match_globals *g, char *p, char *val) -+{ -+ register char *scan; -+ register char *temp; -+ register int offset; -+ -+ if (p == &g->regdummy) -+ return; -+ -+ /* Find last node. */ -+ scan = p; -+ for (;;) { -+ temp = regnext(g, scan); -+ if (temp == NULL) -+ break; -+ scan = temp; -+ } -+ -+ if (OP(scan) == BACK) -+ offset = scan - val; -+ else -+ offset = val - scan; -+ *(scan+1) = (offset>>8)&0377; -+ *(scan+2) = offset&0377; -+} -+ -+/* -+ - regoptail - regtail on operand of first argument; nop if operandless -+ */ -+static void -+regoptail(struct match_globals *g, char *p, char *val) -+{ -+ /* "Operandless" and "op != BRANCH" are synonymous in practice. */ -+ if (p == NULL || p == &g->regdummy || OP(p) != BRANCH) -+ return; -+ regtail(g, OPERAND(p), val); -+} -+ -+/* -+ * regexec and friends -+ */ -+ -+ -+/* -+ * Forwards. -+ */ -+STATIC int regtry(struct match_globals *g, regexp *prog, char *string); -+STATIC int regmatch(struct match_globals *g, char *prog); -+STATIC int regrepeat(struct match_globals *g, char *p); -+ -+#ifdef DEBUG -+int regnarrate = 0; -+void regdump(); -+STATIC char *regprop(char *op); -+#endif -+ -+/* -+ - regexec - match a regexp against a string -+ */ -+int -+regexec(regexp *prog, char *string) -+{ -+ register char *s; -+ struct match_globals g; -+ -+ /* Be paranoid... */ -+ if (prog == NULL || string == NULL) { -+ printk("<3>Regexp: NULL parameter\n"); -+ return(0); -+ } -+ -+ /* Check validity of program. */ -+ if (UCHARAT(prog->program) != MAGIC) { -+ printk("<3>Regexp: corrupted program\n"); -+ return(0); -+ } -+ -+ /* If there is a "must appear" string, look for it. */ -+ if (prog->regmust != NULL) { -+ s = string; -+ while ((s = strchr(s, prog->regmust[0])) != NULL) { -+ if (strncmp(s, prog->regmust, prog->regmlen) == 0) -+ break; /* Found it. */ -+ s++; -+ } -+ if (s == NULL) /* Not present. */ -+ return(0); -+ } -+ -+ /* Mark beginning of line for ^ . */ -+ g.regbol = string; -+ -+ /* Simplest case: anchored match need be tried only once. */ -+ if (prog->reganch) -+ return(regtry(&g, prog, string)); -+ -+ /* Messy cases: unanchored match. */ -+ s = string; -+ if (prog->regstart != '\0') -+ /* We know what char it must start with. */ -+ while ((s = strchr(s, prog->regstart)) != NULL) { -+ if (regtry(&g, prog, s)) -+ return(1); -+ s++; -+ } -+ else -+ /* We don't -- general case. */ -+ do { -+ if (regtry(&g, prog, s)) -+ return(1); -+ } while (*s++ != '\0'); -+ -+ /* Failure. */ -+ return(0); -+} -+ -+/* -+ - regtry - try match at specific point -+ */ -+static int /* 0 failure, 1 success */ -+regtry(struct match_globals *g, regexp *prog, char *string) -+{ -+ register int i; -+ register char **sp; -+ register char **ep; -+ -+ g->reginput = string; -+ g->regstartp = prog->startp; -+ g->regendp = prog->endp; -+ -+ sp = prog->startp; -+ ep = prog->endp; -+ for (i = NSUBEXP; i > 0; i--) { -+ *sp++ = NULL; -+ *ep++ = NULL; -+ } -+ if (regmatch(g, prog->program + 1)) { -+ prog->startp[0] = string; -+ prog->endp[0] = g->reginput; -+ return(1); -+ } else -+ return(0); -+} -+ -+/* -+ - regmatch - main matching routine -+ * -+ * Conceptually the strategy is simple: check to see whether the current -+ * node matches, call self recursively to see whether the rest matches, -+ * and then act accordingly. In practice we make some effort to avoid -+ * recursion, in particular by going through "ordinary" nodes (that don't -+ * need to know whether the rest of the match failed) by a loop instead of -+ * by recursion. -+ */ -+static int /* 0 failure, 1 success */ -+regmatch(struct match_globals *g, char *prog) -+{ -+ register char *scan = prog; /* Current node. */ -+ char *next; /* Next node. */ -+ -+#ifdef DEBUG -+ if (scan != NULL && regnarrate) -+ fprintf(stderr, "%s(\n", regprop(scan)); -+#endif -+ while (scan != NULL) { -+#ifdef DEBUG -+ if (regnarrate) -+ fprintf(stderr, "%s...\n", regprop(scan)); -+#endif -+ next = regnext(g, scan); -+ -+ switch (OP(scan)) { -+ case BOL: -+ if (g->reginput != g->regbol) -+ return(0); -+ break; -+ case EOL: -+ if (*g->reginput != '\0') -+ return(0); -+ break; -+ case ANY: -+ if (*g->reginput == '\0') -+ return(0); -+ g->reginput++; -+ break; -+ case EXACTLY: { -+ register int len; -+ register char *opnd; -+ -+ opnd = OPERAND(scan); -+ /* Inline the first character, for speed. */ -+ if (*opnd != *g->reginput) -+ return(0); -+ len = strlen(opnd); -+ if (len > 1 && strncmp(opnd, g->reginput, len) != 0) -+ return(0); -+ g->reginput += len; -+ } -+ break; -+ case ANYOF: -+ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) == NULL) -+ return(0); -+ g->reginput++; -+ break; -+ case ANYBUT: -+ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) != NULL) -+ return(0); -+ g->reginput++; -+ break; -+ case NOTHING: -+ case BACK: -+ break; -+ case OPEN+1: -+ case OPEN+2: -+ case OPEN+3: -+ case OPEN+4: -+ case OPEN+5: -+ case OPEN+6: -+ case OPEN+7: -+ case OPEN+8: -+ case OPEN+9: { -+ register int no; -+ register char *save; -+ -+ no = OP(scan) - OPEN; -+ save = g->reginput; -+ -+ if (regmatch(g, next)) { -+ /* -+ * Don't set startp if some later -+ * invocation of the same parentheses -+ * already has. -+ */ -+ if (g->regstartp[no] == NULL) -+ g->regstartp[no] = save; -+ return(1); -+ } else -+ return(0); -+ } -+ break; -+ case CLOSE+1: -+ case CLOSE+2: -+ case CLOSE+3: -+ case CLOSE+4: -+ case CLOSE+5: -+ case CLOSE+6: -+ case CLOSE+7: -+ case CLOSE+8: -+ case CLOSE+9: -+ { -+ register int no; -+ register char *save; -+ -+ no = OP(scan) - CLOSE; -+ save = g->reginput; -+ -+ if (regmatch(g, next)) { -+ /* -+ * Don't set endp if some later -+ * invocation of the same parentheses -+ * already has. -+ */ -+ if (g->regendp[no] == NULL) -+ g->regendp[no] = save; -+ return(1); -+ } else -+ return(0); -+ } -+ break; -+ case BRANCH: { -+ register char *save; -+ -+ if (OP(next) != BRANCH) /* No choice. */ -+ next = OPERAND(scan); /* Avoid recursion. */ -+ else { -+ do { -+ save = g->reginput; -+ if (regmatch(g, OPERAND(scan))) -+ return(1); -+ g->reginput = save; -+ scan = regnext(g, scan); -+ } while (scan != NULL && OP(scan) == BRANCH); -+ return(0); -+ /* NOTREACHED */ -+ } -+ } -+ break; -+ case STAR: -+ case PLUS: { -+ register char nextch; -+ register int no; -+ register char *save; -+ register int min; -+ -+ /* -+ * Lookahead to avoid useless match attempts -+ * when we know what character comes next. -+ */ -+ nextch = '\0'; -+ if (OP(next) == EXACTLY) -+ nextch = *OPERAND(next); -+ min = (OP(scan) == STAR) ? 0 : 1; -+ save = g->reginput; -+ no = regrepeat(g, OPERAND(scan)); -+ while (no >= min) { -+ /* If it could work, try it. */ -+ if (nextch == '\0' || *g->reginput == nextch) -+ if (regmatch(g, next)) -+ return(1); -+ /* Couldn't or didn't -- back up. */ -+ no--; -+ g->reginput = save + no; -+ } -+ return(0); -+ } -+ break; -+ case END: -+ return(1); /* Success! */ -+ break; -+ default: -+ printk("<3>Regexp: memory corruption\n"); -+ return(0); -+ break; -+ } -+ -+ scan = next; -+ } -+ -+ /* -+ * We get here only if there's trouble -- normally "case END" is -+ * the terminating point. -+ */ -+ printk("<3>Regexp: corrupted pointers\n"); -+ return(0); -+} -+ -+/* -+ - regrepeat - repeatedly match something simple, report how many -+ */ -+static int -+regrepeat(struct match_globals *g, char *p) -+{ -+ register int count = 0; -+ register char *scan; -+ register char *opnd; -+ -+ scan = g->reginput; -+ opnd = OPERAND(p); -+ switch (OP(p)) { -+ case ANY: -+ count = strlen(scan); -+ scan += count; -+ break; -+ case EXACTLY: -+ while (*opnd == *scan) { -+ count++; -+ scan++; -+ } -+ break; -+ case ANYOF: -+ while (*scan != '\0' && strchr(opnd, *scan) != NULL) { -+ count++; -+ scan++; -+ } -+ break; -+ case ANYBUT: -+ while (*scan != '\0' && strchr(opnd, *scan) == NULL) { -+ count++; -+ scan++; -+ } -+ break; -+ default: /* Oh dear. Called inappropriately. */ -+ printk("<3>Regexp: internal foulup\n"); -+ count = 0; /* Best compromise. */ -+ break; -+ } -+ g->reginput = scan; -+ -+ return(count); -+} -+ -+/* -+ - regnext - dig the "next" pointer out of a node -+ */ -+static char* -+regnext(struct match_globals *g, char *p) -+{ -+ register int offset; -+ -+ if (p == &g->regdummy) -+ return(NULL); -+ -+ offset = NEXT(p); -+ if (offset == 0) -+ return(NULL); -+ -+ if (OP(p) == BACK) -+ return(p-offset); -+ else -+ return(p+offset); -+} -+ -+#ifdef DEBUG -+ -+STATIC char *regprop(); -+ -+/* -+ - regdump - dump a regexp onto stdout in vaguely comprehensible form -+ */ -+void -+regdump(regexp *r) -+{ -+ register char *s; -+ register char op = EXACTLY; /* Arbitrary non-END op. */ -+ register char *next; -+ /* extern char *strchr(); */ -+ -+ -+ s = r->program + 1; -+ while (op != END) { /* While that wasn't END last time... */ -+ op = OP(s); -+ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */ -+ next = regnext(s); -+ if (next == NULL) /* Next ptr. */ -+ printf("(0)"); -+ else -+ printf("(%d)", (s-r->program)+(next-s)); -+ s += 3; -+ if (op == ANYOF || op == ANYBUT || op == EXACTLY) { -+ /* Literal string, where present. */ -+ while (*s != '\0') { -+ putchar(*s); -+ s++; -+ } -+ s++; -+ } -+ putchar('\n'); -+ } -+ -+ /* Header fields of interest. */ -+ if (r->regstart != '\0') -+ printf("start `%c' ", r->regstart); -+ if (r->reganch) -+ printf("anchored "); -+ if (r->regmust != NULL) -+ printf("must have \"%s\"", r->regmust); -+ printf("\n"); -+} -+ -+/* -+ - regprop - printable representation of opcode -+ */ -+static char * -+regprop(char *op) -+{ -+#define BUFLEN 50 -+ register char *p; -+ static char buf[BUFLEN]; -+ -+ strcpy(buf, ":"); -+ -+ switch (OP(op)) { -+ case BOL: -+ p = "BOL"; -+ break; -+ case EOL: -+ p = "EOL"; -+ break; -+ case ANY: -+ p = "ANY"; -+ break; -+ case ANYOF: -+ p = "ANYOF"; -+ break; -+ case ANYBUT: -+ p = "ANYBUT"; -+ break; -+ case BRANCH: -+ p = "BRANCH"; -+ break; -+ case EXACTLY: -+ p = "EXACTLY"; -+ break; -+ case NOTHING: -+ p = "NOTHING"; -+ break; -+ case BACK: -+ p = "BACK"; -+ break; -+ case END: -+ p = "END"; -+ break; -+ case OPEN+1: -+ case OPEN+2: -+ case OPEN+3: -+ case OPEN+4: -+ case OPEN+5: -+ case OPEN+6: -+ case OPEN+7: -+ case OPEN+8: -+ case OPEN+9: -+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN); -+ p = NULL; -+ break; -+ case CLOSE+1: -+ case CLOSE+2: -+ case CLOSE+3: -+ case CLOSE+4: -+ case CLOSE+5: -+ case CLOSE+6: -+ case CLOSE+7: -+ case CLOSE+8: -+ case CLOSE+9: -+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE); -+ p = NULL; -+ break; -+ case STAR: -+ p = "STAR"; -+ break; -+ case PLUS: -+ p = "PLUS"; -+ break; -+ default: -+ printk("<3>Regexp: corrupted opcode\n"); -+ break; -+ } -+ if (p != NULL) -+ strncat(buf, p, BUFLEN-strlen(buf)); -+ return(buf); -+} -+#endif -+ -+ -Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 00:37:55.700427500 +0200 -@@ -0,0 +1,41 @@ -+/* -+ * Definitions etc. for regexp(3) routines. -+ * -+ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof], -+ * not the System V one. -+ */ -+ -+#ifndef REGEXP_H -+#define REGEXP_H -+ -+ -+/* -+http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h , -+which contains a version of this library, says: -+ -+ * -+ * NSUBEXP must be at least 10, and no greater than 117 or the parser -+ * will not work properly. -+ * -+ -+However, it looks rather like this library is limited to 10. If you think -+otherwise, let us know. -+*/ -+ -+#define NSUBEXP 10 -+typedef struct regexp { -+ char *startp[NSUBEXP]; -+ char *endp[NSUBEXP]; -+ char regstart; /* Internal use only. */ -+ char reganch; /* Internal use only. */ -+ char *regmust; /* Internal use only. */ -+ int regmlen; /* Internal use only. */ -+ char program[1]; /* Unwarranted chumminess with compiler. */ -+} regexp; -+ -+regexp * regcomp(char *exp, int *patternsize); -+int regexec(regexp *prog, char *string); -+void regsub(regexp *prog, char *source, char *dest); -+void regerror(char *s); -+ -+#endif -Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 00:37:55.724429000 +0200 -@@ -0,0 +1,5 @@ -+/* -+ * The first byte of the regexp internal "program" is actually this magic -+ * number; the start node begins in the second byte. -+ */ -+#define MAGIC 0234 -Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 00:37:55.752430750 +0200 -@@ -0,0 +1,95 @@ -+/* -+ * regsub -+ * @(#)regsub.c 1.3 of 2 April 86 -+ * -+ * Copyright (c) 1986 by University of Toronto. -+ * Written by Henry Spencer. Not derived from licensed software. -+ * -+ * Permission is granted to anyone to use this software for any -+ * purpose on any computer system, and to redistribute it freely, -+ * subject to the following restrictions: -+ * -+ * 1. The author is not responsible for the consequences of use of -+ * this software, no matter how awful, even if they arise -+ * from defects in it. -+ * -+ * 2. The origin of this software must not be misrepresented, either -+ * by explicit claim or by omission. -+ * -+ * 3. Altered versions must be plainly marked as such, and must not -+ * be misrepresented as being the original software. -+ * -+ * -+ * This code was modified by Ethan Sommer to work within the kernel -+ * (it now uses kmalloc etc..) -+ * -+ */ -+#include "regexp.h" -+#include "regmagic.h" -+#include -+ -+ -+#ifndef CHARBITS -+#define UCHARAT(p) ((int)*(unsigned char *)(p)) -+#else -+#define UCHARAT(p) ((int)*(p)&CHARBITS) -+#endif -+ -+#if 0 -+//void regerror(char * s) -+//{ -+// printk("regexp(3): %s", s); -+// /* NOTREACHED */ -+//} -+#endif -+ -+/* -+ - regsub - perform substitutions after a regexp match -+ */ -+void -+regsub(regexp * prog, char * source, char * dest) -+{ -+ register char *src; -+ register char *dst; -+ register char c; -+ register int no; -+ register int len; -+ -+ /* Not necessary and gcc doesn't like it -MLS */ -+ /*extern char *strncpy();*/ -+ -+ if (prog == NULL || source == NULL || dest == NULL) { -+ regerror("NULL parm to regsub"); -+ return; -+ } -+ if (UCHARAT(prog->program) != MAGIC) { -+ regerror("damaged regexp fed to regsub"); -+ return; -+ } -+ -+ src = source; -+ dst = dest; -+ while ((c = *src++) != '\0') { -+ if (c == '&') -+ no = 0; -+ else if (c == '\\' && '0' <= *src && *src <= '9') -+ no = *src++ - '0'; -+ else -+ no = -1; -+ -+ if (no < 0) { /* Ordinary character. */ -+ if (c == '\\' && (*src == '\\' || *src == '&')) -+ c = *src++; -+ *dst++ = c; -+ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) { -+ len = prog->endp[no] - prog->startp[no]; -+ (void) strncpy(dst, prog->startp[no], len); -+ dst += len; -+ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */ -+ regerror("damaged match string"); -+ return; -+ } -+ } -+ } -+ *dst++ = '\0'; -+} -Index: linux-2.6.21.5/include/net/netfilter/nf_conntrack.h -=================================================================== ---- linux-2.6.21.5.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 00:49:22.815369500 +0200 -+++ linux-2.6.21.5/include/net/netfilter/nf_conntrack.h 2007-07-02 00:56:21.413530250 +0200 -@@ -128,6 +128,21 @@ - u_int32_t secmark; - #endif - -+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ struct { -+ /* -+ * e.g. "http". NULL before decision. "unknown" after decision -+ * if no match. -+ */ -+ char *app_proto; -+ /* -+ * application layer data so far. NULL after match decision. -+ */ -+ char *app_data; -+ unsigned int app_data_len; -+ } layer7; -+#endif -+ - /* Storage reserved for other modules: */ - union nf_conntrack_proto proto; - diff --git a/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch index 966353ad2f..cabffacc14 100644 --- a/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch +++ b/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch @@ -1,37 +1,37 @@ -Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h +Index: linux-2.6.21.7/include/linux/netfilter/xt_layer7.h =================================================================== ---- linux-2.6.21.5.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200 -+++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 01:36:08.914739750 +0200 -@@ -21,6 +21,7 @@ +--- linux-2.6.21.7.orig/include/linux/netfilter/xt_layer7.h ++++ linux-2.6.21.7/include/linux/netfilter/xt_layer7.h +@@ -8,6 +8,7 @@ struct xt_layer7_info { char protocol[MAX_PROTOCOL_LEN]; - char invert:1; char pattern[MAX_PATTERN_LEN]; -+ char pkt; + u_int8_t invert; ++ u_int8_t pkt; }; - #endif /* _IPT_LAYER7_H */ -Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c + #endif /* _XT_LAYER7_H */ +Index: linux-2.6.21.7/net/netfilter/xt_layer7.c =================================================================== ---- linux-2.6.21.5.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200 -+++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:37:01.990056750 +0200 -@@ -299,33 +299,34 @@ - } +--- linux-2.6.21.7.orig/net/netfilter/xt_layer7.c ++++ linux-2.6.21.7/net/netfilter/xt_layer7.c +@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con } --/* add the new app data to the conntrack. Return number of bytes added. */ --static int add_data(struct ip_conntrack * master_conntrack, -- char * app_data, int appdatalen) + /* add the new app data to the conntrack. Return number of bytes added. */ +-static int add_data(struct nf_conn * master_conntrack, +- char * app_data, int appdatalen) +static int add_datastr(char *target, int offset, char *app_data, int len) { int length = 0, i; - int oldlength = master_conntrack->layer7.app_data_len; - -- // This is a fix for a race condition by Deti Fliegl. However, I'm not -- // clear on whether the race condition exists or whether this really -- // fixes it. I might just be being dense... Anyway, if it's not really -- // a fix, all it does is waste a very small amount of time. +- /* This is a fix for a race condition by Deti Fliegl. However, I'm not +- clear on whether the race condition exists or whether this really +- fixes it. I might just be being dense... Anyway, if it's not really +- a fix, all it does is waste a very small amount of time. */ - if(!master_conntrack->layer7.app_data) return 0; -+ if(!target) return 0; ++ ++ if (!target) return 0; /* Strip nulls. Make everything lower case (our regex lib doesn't do case insensitivity). Add it to the end of the current data. */ @@ -39,54 +39,55 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c - i < appdatalen; i++) { + for(i = 0; i < maxdatalen-offset-1 && i < len; i++) { if(app_data[i] != '\0') { + /* the kernel version of tolower mungs 'upper ascii' */ - master_conntrack->layer7.app_data[length+oldlength] = + target[length+offset] = - /* the kernel version of tolower mungs 'upper ascii' */ - isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; + isascii(app_data[i])? + tolower(app_data[i]) : app_data[i]; length++; } } + target[length+offset] = '\0'; ++ ++ return length; ++} - master_conntrack->layer7.app_data[length+oldlength] = '\0'; - master_conntrack->layer7.app_data_len = length + oldlength; -+ return length; -+} -+ +/* add the new app data to the conntrack. Return number of bytes added. */ -+static int add_data(struct ip_conntrack * master_conntrack, -+ char * app_data, int appdatalen) ++static int add_data(struct nf_conn * master_conntrack, ++ char * app_data, int appdatalen) +{ + int length; -+ + + length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen); + master_conntrack->layer7.app_data_len += length; - return length; } -@@ -343,7 +344,7 @@ + +@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin, + const struct xt_layer7_info * info = matchinfo; enum ip_conntrack_info master_ctinfo, ctinfo; - struct nf_conn *master_conntrack; - struct ip_conntrack *conntrack; + struct nf_conn *master_conntrack, *conntrack; - unsigned char * app_data; + unsigned char *app_data, *tmp_data; unsigned int pattern_result, appdatalen; regexp * comppattern; -@@ -365,8 +366,8 @@ +@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin, master_conntrack = master_ct(master_conntrack); /* if we've classified it or seen too many packets */ - if(TOTAL_PACKETS > num_packets || - master_conntrack->layer7.app_proto) { + if(!info->pkt && (TOTAL_PACKETS > num_packets || -+ master_conntrack->layer7.app_proto)) { - - pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); ++ master_conntrack->layer7.app_proto)) { -@@ -396,6 +397,23 @@ + pattern_result = match_no_append(conntrack, master_conntrack, + ctinfo, master_ctinfo, info); +@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin, + /* the return value gets checked later, when we're ready to use it */ comppattern = compile_and_cache(info->pattern, info->protocol); - spin_unlock_bh(&list_lock); + if (info->pkt) { + tmp_data = kmalloc(maxdatalen, GFP_ATOMIC); @@ -99,12 +100,14 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c + tmp_data[0] = '\0'; + add_datastr(tmp_data, 0, app_data, appdatalen); + pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0); ++ + kfree(tmp_data); + tmp_data = NULL; ++ spin_unlock_bh(&l7_lock); + + return (pattern_result ^ info->invert); + } + /* On the first packet of a connection, allocate space for app data */ - write_lock(&ct_lock); - if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { + if(TOTAL_PACKETS == 1 && !skb->cb[0] && + !master_conntrack->layer7.app_data){ diff --git a/target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch b/target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch index 509c5eb169..5f202ca99e 100644 --- a/target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch +++ b/target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch @@ -1,6 +1,7 @@ -diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h ---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-05-26 20:21:54.586864296 +0200 +Index: linux-2.6.21.7/include/linux/netfilter_ipv4/ipt_ipp2p.h +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/include/linux/netfilter_ipv4/ipt_ipp2p.h @@ -0,0 +1,31 @@ +#ifndef __IPT_IPP2P_H +#define __IPT_IPP2P_H @@ -33,9 +34,10 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6. +#define IPP2P_MUTE (1 << 14) +#define IPP2P_WASTE (1 << 15) +#define IPP2P_XDCC (1 << 16) -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c 2007-05-26 20:21:54.587864144 +0200 +Index: linux-2.6.21.7/net/ipv4/netfilter/ipt_ipp2p.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/ipv4/netfilter/ipt_ipp2p.c @@ -0,0 +1,882 @@ +#if defined(MODVERSIONS) +#include @@ -782,7 +784,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/n +{ + const struct ipt_p2p_info *info = matchinfo; + unsigned char *haystack; -+ struct iphdr *ip = skb->nh.iph; ++ struct iphdr *ip = ip_hdr(skb); + int p2p_result = 0, i = 0; +// int head_len; + int hlen = ntohs(ip->tot_len)-(ip->ihl*4); /*hlen = packet-data length*/ @@ -919,12 +921,13 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/n +module_exit(fini); + + -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig ---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-05-26 20:17:47.626407992 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:21:54.587864144 +0200 -@@ -263,6 +263,12 @@ - help - Say Y to get lots of debugging output. +Index: linux-2.6.21.7/net/ipv4/netfilter/Kconfig +=================================================================== +--- linux-2.6.21.7.orig/net/ipv4/netfilter/Kconfig ++++ linux-2.6.21.7/net/ipv4/netfilter/Kconfig +@@ -245,6 +245,12 @@ config IP_NF_MATCH_IPRANGE + + To compile it as a module, choose M here. If unsure, say N. +config IP_NF_MATCH_IPP2P + tristate "IPP2P" @@ -935,15 +938,15 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/i config IP_NF_MATCH_TOS tristate "TOS match support" depends on IP_NF_IPTABLES -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile ---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-05-26 20:17:47.638406168 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:21:54.588863992 +0200 -@@ -91,7 +91,7 @@ +Index: linux-2.6.21.7/net/ipv4/netfilter/Makefile +=================================================================== +--- linux-2.6.21.7.orig/net/ipv4/netfilter/Makefile ++++ linux-2.6.21.7/net/ipv4/netfilter/Makefile +@@ -91,6 +91,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o -- +obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o - obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o # targets + obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o diff --git a/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch deleted file mode 100644 index 2c24975f54..0000000000 --- a/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch +++ /dev/null @@ -1,946 +0,0 @@ -diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h ---- linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h 2007-05-26 20:40:10.922195992 +0200 -@@ -0,0 +1,5 @@ -+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) -+# include -+#else /* linux-2.6.20+ */ -+# include -+#endif -diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h ---- linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h 2007-05-26 20:40:10.940193256 +0200 -@@ -0,0 +1,14 @@ -+/* Out of tree workarounds */ -+#include -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) -+# define HAVE_MATCHINFOSIZE 1 -+# define HAVE_TARGUSERINFO 1 -+# define HAVE_TARGINFOSIZE 1 -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) -+# define nfmark mark -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) -+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ -+ tcp_v4_check((tcph_sz), (s), (d), (csp)) -+#endif -diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h ---- linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h 2007-05-26 20:40:10.940193256 +0200 -@@ -0,0 +1,14 @@ -+#ifndef _LINUX_XT_CHAOS_H -+#define _LINUX_XT_CHAOS_H 1 -+ -+enum xt_chaos_variant { -+ XTCHAOS_NORMAL, -+ XTCHAOS_TARPIT, -+ XTCHAOS_DELUDE, -+}; -+ -+struct xt_chaos_info { -+ enum xt_chaos_variant variant; -+}; -+ -+#endif /* _LINUX_XT_CHAOS_H */ -diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h ---- linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h 2007-05-26 20:40:10.940193256 +0200 -@@ -0,0 +1,8 @@ -+#ifndef _LINUX_XT_PORTSCAN_H -+#define _LINUX_XT_PORTSCAN_H 1 -+ -+struct xt_portscan_info { -+ unsigned int match_stealth, match_syn, match_cn, match_gr; -+}; -+ -+#endif /* _LINUX_XT_PORTSCAN_H */ -diff -urN linux-2.6.21.1.old/net/netfilter/find_match.c linux-2.6.21.1.dev/net/netfilter/find_match.c ---- linux-2.6.21.1.old/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/netfilter/find_match.c 2007-05-26 20:40:10.970188696 +0200 -@@ -0,0 +1,39 @@ -+/* -+ xt_request_find_match -+ by Jan Engelhardt , 2006 - 2007 -+ -+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c: -+ Copyright (C) 2006-2006 Harald Welte -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+ -+/* -+ * Yeah this code is sub-optimal, but the function is missing in -+ * mainline so far. -jengelh -+ */ -+static struct xt_match *xt_request_find_match_lo(int af, const char *name, -+ u8 revision) -+{ -+ static const char *const xt_prefix[] = { -+ [AF_INET] = "ip", -+ [AF_INET6] = "ip6", -+ [NF_ARP] = "arp", -+ }; -+ struct xt_match *match; -+ -+ match = try_then_request_module(xt_find_match(af, name, revision), -+ "%st_%s", xt_prefix[af], name); -+ if(IS_ERR(match) || match == NULL) -+ return NULL; -+ -+ return match; -+} -+ -+/* In case it goes into mainline, let this out-of-tree package compile */ -+#define xt_request_find_match xt_request_find_match_lo -diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfilter/Kconfig ---- linux-2.6.21.1.old/net/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/netfilter/Kconfig 2007-05-26 20:40:11.003183680 +0200 -@@ -287,6 +287,14 @@ - - # alphabetically ordered list of targets - -+config NETFILTER_XT_TARGET_CHAOS -+ tristate '"CHAOS" target support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a `CHAOS' target. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_TARGET_CLASSIFY - tristate '"CLASSIFY" target support' - depends on NETFILTER_XTABLES -@@ -315,6 +323,14 @@ - . The module will be called - ipt_CONNMARK.o. If unsure, say `N'. - -+config NETFILTER_XT_TARGET_DELUDE -+ tristate '"DELUDE" target support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a `DELUDE' target. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_TARGET_DSCP - tristate '"DSCP" target support' - depends on NETFILTER_XTABLES -@@ -563,6 +579,14 @@ - - To compile it as a module, choose M here. If unsure, say N. - -+config NETFILTER_XT_MATCH_PORTSCAN -+ tristate '"portscan" match support' -+ depends on NETFILTER_XTABLES -+ help -+ This option adds a 'portscan' match support. -+ -+ To compile it as a module, choose M here. If unsure, say N. -+ - config NETFILTER_XT_MATCH_MULTIPORT - tristate "Multiple port match support" - depends on NETFILTER_XTABLES -diff -urN linux-2.6.21.1.old/net/netfilter/Makefile linux-2.6.21.1.dev/net/netfilter/Makefile ---- linux-2.6.21.1.old/net/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/netfilter/Makefile 2007-05-26 20:40:11.003183680 +0200 -@@ -37,8 +37,10 @@ - obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o - - # targets -+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o - obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o - obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o -+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o - obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o - obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o - obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o -@@ -63,6 +65,7 @@ - obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o - obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o - obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o -+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o - obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o - obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o - obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o -diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c ---- linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c 2007-05-26 20:40:11.004183528 +0200 -@@ -0,0 +1,204 @@ -+/* -+ CHAOS target for netfilter -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "find_match.c" -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+/* Module parameters */ -+static unsigned int reject_percentage = ~0U * .01; -+static unsigned int delude_percentage = ~0U * .0101; -+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR); -+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR); -+ -+/* References to other matches/targets */ -+static struct xt_match *xm_tcp; -+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; -+ -+static int have_delude, have_tarpit; -+ -+/* Static data for other matches/targets */ -+static const struct ipt_reject_info reject_params = { -+ .with = ICMP_HOST_UNREACH, -+}; -+ -+static const struct xt_tcp tcp_params = { -+ .spts = {0, ~0}, -+ .dpts = {0, ~0}, -+}; -+ -+/* CHAOS functions */ -+static void xt_chaos_total(const struct xt_chaos_info *info, -+ struct sk_buff **pskb, const struct net_device *in, -+ const struct net_device *out, unsigned int hooknum) -+{ -+ const int protoff = 4 * (*pskb)->nh.iph->ihl; -+ const int offset = ntohs((*pskb)->nh.iph->frag_off) & IP_OFFSET; -+ const struct xt_target *destiny; -+ int hotdrop = 0, ret; -+ -+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params, -+ offset, protoff, &hotdrop); -+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage) -+ return; -+ -+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; -+#ifdef HAVE_TARGUSERINFO -+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL); -+#else -+ destiny->target(pskb, in, out, hooknum, destiny, NULL); -+#endif -+ return; -+} -+ -+static unsigned int xt_chaos_target(struct sk_buff **pskb, -+ const struct net_device *in, const struct net_device *out, -+ unsigned int hooknum, const struct xt_target *target, const void *targinfo -+#ifdef HAVE_TARGUSERINFO -+ , -+ void *userinfo -+#endif -+ ) -+{ -+ /* Equivalent to: -+ * -A chaos -m statistic --mode random --probability \ -+ * $reject_percentage -j REJECT --reject-with host-unreach; -+ * -A chaos -p tcp -m statistic --mode random --probability \ -+ * $delude_percentage -j DELUDE; -+ * -A chaos -j DROP; -+ */ -+ const struct xt_chaos_info *info = targinfo; -+ -+ if((unsigned int)net_random() <= reject_percentage) -+#ifdef HAVE_TARGUSERINFO -+ return xt_reject->target(pskb, in, out, hooknum, target, -+ &reject_params, userinfo); -+#else -+ return xt_reject->target(pskb, in, out, hooknum, target, -+ &reject_params); -+#endif -+ -+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ -+ if((*pskb)->nh.iph->protocol == IPPROTO_TCP && -+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) -+ xt_chaos_total(info, pskb, in, out, hooknum); -+ -+ return NF_DROP; -+} -+ -+static int xt_chaos_checkentry(const char *tablename, const void *entry, -+ const struct xt_target *target, void *targinfo, -+#ifdef HAVE_TARGINFOSIZE -+ unsigned int targinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ const struct xt_chaos_info *info = targinfo; -+ if(info->variant == XTCHAOS_DELUDE && !have_delude) { -+ printk(KERN_WARNING PFX "Error: Cannot use --delude when " -+ "DELUDE module not available\n"); -+ return 0; -+ } -+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) { -+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " -+ "TARPIT module not available\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+static struct xt_target xt_chaos_info = { -+ .name = "CHAOS", -+ .target = xt_chaos_target, -+ .checkentry = xt_chaos_checkentry, -+ .table = "filter", -+ .targetsize = sizeof(struct xt_chaos_info), -+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | -+ (1 << NF_IP_LOCAL_OUT), -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_chaos_init(void) -+{ -+ int ret = -EINVAL; -+ -+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); -+ if(xm_tcp == NULL) { -+ printk(KERN_WARNING PFX "Error: Could not find or load " -+ "\"tcp\" match\n"); -+ return -EINVAL; -+ } -+ -+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); -+ if(xt_reject == NULL) { -+ printk(KERN_WARNING PFX "Error: Could not find or load " -+ "\"REJECT\" target\n"); -+ goto out2; -+ } -+ -+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); -+ have_tarpit = xt_tarpit != NULL; -+ if(!have_tarpit) -+ printk(KERN_WARNING PFX "Warning: Could not find or load " -+ "\"TARPIT\" target\n"); -+ -+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); -+ have_delude = xt_delude != NULL; -+ if(!have_delude) -+ printk(KERN_WARNING PFX "Warning: Could not find or load " -+ "\"DELUDE\" target\n"); -+ -+ if((ret = xt_register_target(&xt_chaos_info)) != 0) { -+ printk(KERN_WARNING PFX "xt_register_target returned " -+ "error %d\n", ret); -+ goto out3; -+ } -+ -+ return 0; -+ -+ out3: -+ if(have_delude) -+ module_put(xt_delude->me); -+ if(have_tarpit) -+ module_put(xt_tarpit->me); -+ module_put(xt_reject->me); -+ out2: -+ module_put(xm_tcp->me); -+ return ret; -+} -+ -+static void __exit xt_chaos_exit(void) -+{ -+ xt_unregister_target(&xt_chaos_info); -+ module_put(xm_tcp->me); -+ module_put(xt_reject->me); -+ if(have_delude) -+ module_put(xt_delude->me); -+ if(have_tarpit) -+ module_put(xt_tarpit->me); -+ return; -+} -+ -+module_init(xt_chaos_init); -+module_exit(xt_chaos_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter CHAOS target"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_CHAOS"); -diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c ---- linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c 2007-05-26 20:40:11.004183528 +0200 -@@ -0,0 +1,288 @@ -+/* -+ DELUDE target -+ Copyright © Jan Engelhardt , 2007 -+ -+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: -+ (C) 1999-2001 Paul `Rusty' Russell -+ (C) 2002-2004 Netfilter Core Team -+ -+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef CONFIG_BRIDGE_NETFILTER -+# include -+#endif -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+static inline struct rtable *route_reverse(struct sk_buff *skb, -+ struct tcphdr *tcph, int hook) -+{ -+ struct iphdr *iph = skb->nh.iph; -+ struct dst_entry *odst; -+ struct flowi fl = {}; -+ struct rtable *rt; -+ -+ /* We don't require ip forwarding to be enabled to be able to -+ * send a RST reply for bridged traffic. */ -+ if (hook != NF_IP_FORWARD -+#ifdef CONFIG_BRIDGE_NETFILTER -+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED) -+#endif -+ ) { -+ fl.nl_u.ip4_u.daddr = iph->saddr; -+ if (hook == NF_IP_LOCAL_IN) -+ fl.nl_u.ip4_u.saddr = iph->daddr; -+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); -+ -+ if (ip_route_output_key(&rt, &fl) != 0) -+ return NULL; -+ } else { -+ /* non-local src, find valid iif to satisfy -+ * rp-filter when calling ip_route_input. */ -+ fl.nl_u.ip4_u.daddr = iph->daddr; -+ if (ip_route_output_key(&rt, &fl) != 0) -+ return NULL; -+ -+ odst = skb->dst; -+ if (ip_route_input(skb, iph->saddr, iph->daddr, -+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) { -+ dst_release(&rt->u.dst); -+ return NULL; -+ } -+ dst_release(&rt->u.dst); -+ rt = (struct rtable *)skb->dst; -+ skb->dst = odst; -+ -+ fl.nl_u.ip4_u.daddr = iph->saddr; -+ fl.nl_u.ip4_u.saddr = iph->daddr; -+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); -+ } -+ -+ if (rt->u.dst.error) { -+ dst_release(&rt->u.dst); -+ return NULL; -+ } -+ -+ fl.proto = IPPROTO_TCP; -+ fl.fl_ip_sport = tcph->dest; -+ fl.fl_ip_dport = tcph->source; -+ -+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0); -+ -+ return rt; -+} -+ -+static void send_reset(struct sk_buff *oldskb, int hook) -+{ -+ struct sk_buff *nskb; -+ struct iphdr *iph = oldskb->nh.iph; -+ struct tcphdr _otcph, *oth, *tcph; -+ __be16 tmp_port; -+ __be32 tmp_addr; -+ int needs_ack; -+ unsigned int addr_type; -+ -+ /* IP header checks: fragment. */ -+ if (oldskb->nh.iph->frag_off & htons(IP_OFFSET)) -+ return; -+ -+ oth = skb_header_pointer(oldskb, oldskb->nh.iph->ihl * 4, -+ sizeof(_otcph), &_otcph); -+ if (oth == NULL) -+ return; -+ -+ /* No RST for RST. */ -+ if (oth->rst) -+ return; -+ -+ /* Check checksum */ -+ if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP)) -+ return; -+ -+ /* We need a linear, writeable skb. We also need to expand -+ headroom in case hh_len of incoming interface < hh_len of -+ outgoing interface */ -+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), -+ GFP_ATOMIC); -+ if (!nskb) -+ return; -+ -+ /* This packet will not be the same as the other: clear nf fields */ -+ nf_reset(nskb); -+ nskb->nfmark = 0; -+ skb_init_secmark(nskb); -+ -+ skb_shinfo(nskb)->gso_size = 0; -+ skb_shinfo(nskb)->gso_segs = 0; -+ skb_shinfo(nskb)->gso_type = 0; -+ -+ tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl); -+ -+ /* Swap source and dest */ -+ tmp_addr = nskb->nh.iph->saddr; -+ nskb->nh.iph->saddr = nskb->nh.iph->daddr; -+ nskb->nh.iph->daddr = tmp_addr; -+ tmp_port = tcph->source; -+ tcph->source = tcph->dest; -+ tcph->dest = tmp_port; -+ -+ /* Truncate to length (no data) */ -+ tcph->doff = sizeof(struct tcphdr)/4; -+ skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr)); -+ nskb->nh.iph->tot_len = htons(nskb->len); -+ -+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) { -+ /* DELUDE essential part */ -+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + -+ oldskb->len - oldskb->nh.iph->ihl * 4 - -+ (oth->doff << 2)); -+ tcph->seq = htonl(secure_tcp_sequence_number( -+ nskb->nh.iph->saddr, nskb->nh.iph->daddr, -+ tcph->source, tcph->dest)); -+ tcph->ack = 1; -+ } else { -+ if(!tcph->ack) { -+ needs_ack = 1; -+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin -+ + oldskb->len - oldskb->nh.iph->ihl*4 -+ - (oth->doff<<2)); -+ tcph->seq = 0; -+ } else { -+ needs_ack = 0; -+ tcph->seq = oth->ack_seq; -+ tcph->ack_seq = 0; -+ } -+ -+ /* Reset flags */ -+ ((u_int8_t *)tcph)[13] = 0; -+ tcph->rst = 1; -+ tcph->ack = needs_ack; -+ } -+ -+ -+ tcph->window = 0; -+ tcph->urg_ptr = 0; -+ -+ /* Adjust TCP checksum */ -+ tcph->check = 0; -+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), -+ nskb->nh.iph->saddr, -+ nskb->nh.iph->daddr, -+ csum_partial((char *)tcph, -+ sizeof(struct tcphdr), 0)); -+ -+ /* Set DF, id = 0 */ -+ nskb->nh.iph->frag_off = htons(IP_DF); -+ nskb->nh.iph->id = 0; -+ -+ addr_type = RTN_UNSPEC; -+ if (hook != NF_IP_FORWARD -+#ifdef CONFIG_BRIDGE_NETFILTER -+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED) -+#endif -+ ) -+ addr_type = RTN_LOCAL; -+ -+ if (ip_route_me_harder(&nskb, addr_type)) -+ goto free_nskb; -+ -+ nskb->ip_summed = CHECKSUM_NONE; -+ -+ /* Adjust IP TTL */ -+ nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); -+ -+ /* Adjust IP checksum */ -+ nskb->nh.iph->check = 0; -+ nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, -+ nskb->nh.iph->ihl); -+ -+ /* "Never happens" */ -+ if (nskb->len > dst_mtu(nskb->dst)) -+ goto free_nskb; -+ -+ nf_ct_attach(nskb, oldskb); -+ -+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev, -+ dst_output); -+ return; -+ -+ free_nskb: -+ kfree_skb(nskb); -+} -+ -+static unsigned int xt_delude_target(struct sk_buff **pskb, -+ const struct net_device *in, const struct net_device *out, -+ unsigned int hooknum, const struct xt_target *target, const void *targinfo -+#ifdef HAVE_TARGUSERINFO -+ , -+ void *userinfo -+#endif -+ ) -+{ -+ /* WARNING: This code causes reentry within iptables. -+ This means that the iptables jump stack is now crap. We -+ must return an absolute verdict. --RR */ -+ send_reset(*pskb, hooknum); -+ return NF_DROP; -+} -+ -+static int xt_delude_check(const char *tablename, const void *e_void, -+ const struct xt_target *target, void *targinfo, -+#ifdef HAVE_TARGINFOSIZE -+ unsigned int targinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) { -+ printk(KERN_WARNING PFX "DELUDE may not be used in chains " -+ "other than INPUT and FORWARD\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+static struct xt_target xt_delude_info = { -+ .name = "DELUDE", -+ .target = xt_delude_target, -+ .checkentry = xt_delude_check, -+ .table = "filter", -+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | -+ (1 << NF_IP_LOCAL_OUT), -+ .proto = IPPROTO_TCP, -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_delude_init(void) -+{ -+ return xt_register_target(&xt_delude_info); -+} -+ -+static void __exit xt_delude_exit(void) -+{ -+ xt_unregister_target(&xt_delude_info); -+} -+ -+module_init(xt_delude_init); -+module_exit(xt_delude_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter DELUDE target"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_DELUDE"); -diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/netfilter/xt_portscan.c ---- linux-2.6.21.1.old/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/netfilter/xt_portscan.c 2007-05-26 20:40:11.004183528 +0200 -@@ -0,0 +1,272 @@ -+/* -+ portscan match for netfilter -+ -+ Written by Jan Engelhardt, 2006 - 2007 -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#define PFX KBUILD_MODNAME ": " -+ -+enum { -+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, -+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK, -+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG, -+}; -+ -+/* Module parameters */ -+static unsigned int -+ connmark_mask = ~0, -+ packet_mask = ~0, -+ mark_seen = 0x9, -+ mark_synrcv = 0x1, -+ mark_closed = 0x2, -+ mark_synscan = 0x3, -+ mark_estab1 = 0x4, -+ mark_estab2 = 0x5, -+ mark_cnscan = 0x6, -+ mark_grscan = 0x7, -+ mark_valid = 0x8; -+ -+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR); -+module_param(packet_mask, uint, S_IRUGO | S_IWUSR); -+module_param(mark_seen, uint, S_IRUGO | S_IWUSR); -+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR); -+module_param(mark_closed, uint, S_IRUGO | S_IWUSR); -+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR); -+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR); -+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR); -+module_param(mark_valid, uint, S_IRUGO | S_IWUSR); -+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark"); -+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark"); -+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state"); -+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state"); -+MODULE_PARM_DESC(mark_closed, "connmark value for closed state"); -+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state"); -+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state"); -+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state"); -+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state"); -+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state"); -+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state"); -+ -+/* TCP flag functions */ -+static inline int tflg_ack4(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK; -+} -+ -+static inline int tflg_ack6(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK; -+} -+ -+static inline int tflg_fin(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN; -+} -+ -+static inline int tflg_rst(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST; -+} -+ -+static inline int tflg_rstack(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == -+ (TCP_FLAG_ACK | TCP_FLAG_RST); -+} -+ -+static inline int tflg_syn(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN; -+} -+ -+static inline int tflg_synack(const struct tcphdr *th) -+{ -+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == -+ (TCP_FLAG_SYN | TCP_FLAG_ACK); -+} -+ -+/* portscan functions */ -+static inline int xt_portscan_stealth(const struct tcphdr *th) -+{ -+ /* -+ * "Connection refused" replies to our own probes must not be matched. -+ */ -+ if(tflg_rstack(th)) -+ return 0; -+ -+ if(tflg_rst(th) && printk_ratelimit()) { -+ printk(KERN_WARNING PFX "Warning: Pure RST received\n"); -+ return 0; -+ } -+ -+ /* -+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start -+ * packets that are not associated with any connection -- this will -+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag -+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.). -+ */ -+ return !tflg_syn(th); -+} -+ -+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate, -+ int loopback, const struct tcphdr *tcph, int payload_len) -+{ -+ if(mark == mark_estab2) { -+ /* -+ * -m connmark --mark $ESTAB2 -+ */ -+ if(tflg_ack4(tcph) && payload_len == 0) -+ return mark; /* keep mark */ -+ else if(tflg_rst(tcph) || tflg_fin(tcph)) -+ return mark_grscan; -+ else -+ return mark_valid; -+ } else if(mark == mark_estab1) { -+ /* -+ * -m connmark --mark $ESTAB1 -+ */ -+ if(tflg_rst(tcph) || tflg_fin(tcph)) -+ return mark_cnscan; -+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0) -+ return mark_estab2; -+ else -+ return mark_valid; -+ } else if(mark == mark_synrcv) { -+ /* -+ * -m connmark --mark $SYN -+ */ -+ if(loopback && tflg_synack(tcph)) -+ return mark; /* keep mark */ -+ else if(loopback && tflg_rstack(tcph)) -+ return mark_closed; -+ else if(tflg_ack6(tcph)) -+ return mark_estab1; -+ else -+ return mark_synscan; -+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) { -+ /* -+ * -p tcp --syn --ctstate NEW -+ */ -+ return mark_synrcv; -+ } -+ return mark; -+} -+ -+static int xt_portscan_match(const struct sk_buff *skb, -+ const struct net_device *in, const struct net_device *out, -+ const struct xt_match *match, const void *matchinfo, int offset, -+ unsigned int protoff, int *hotdrop) -+{ -+ const struct xt_portscan_info *info = matchinfo; -+ enum ip_conntrack_info ctstate; -+ struct ip_conntrack *ctdata; -+ const struct tcphdr *tcph; -+ struct tcphdr tcph_buf; -+ -+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); -+ if(tcph == NULL) -+ return 0; -+ -+ /* Check for invalid packets: -m conntrack --ctstate INVALID */ -+ if((ctdata = ip_conntrack_get(skb, &ctstate)) == NULL) { -+ if(info->match_stealth) -+ return xt_portscan_stealth(tcph); -+ /* -+ * If @ctdata is NULL, we cannot match the other scan -+ * types, return. -+ */ -+ return 0; -+ } -+ -+ /* -+ * If -m portscan was previously applied to this packet, the rules we -+ * simulate must not be run through again. And for speedup, do not call -+ * it either when the connection is already VALID. -+ */ -+ if((ctdata->mark & connmark_mask) == mark_valid || -+ (skb->nfmark & packet_mask) != mark_seen) -+ { -+ unsigned int n; -+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate, -+ in == &loopback_dev, tcph, -+ skb->len - protoff - 4 * tcph->doff); -+ -+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; -+ ((struct sk_buff *)skb)->nfmark = -+ (skb->nfmark & ~packet_mask) | mark_seen; -+ } -+ -+ return (info->match_syn && ctdata->mark == mark_synscan) || -+ (info->match_cn && ctdata->mark == mark_cnscan) || -+ (info->match_gr && ctdata->mark == mark_grscan); -+} -+ -+static int xt_portscan_checkentry(const char *tablename, const void *entry, -+ const struct xt_match *match, void *matchinfo, -+#ifdef HAVE_MATCHINFOSIZE -+ unsigned int matchinfosize, -+#endif -+ unsigned int hook_mask) -+{ -+ const struct xt_portscan_info *info = matchinfo; -+#ifdef HAVE_MATCHINFOSIZE -+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) { -+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n", -+ matchinfosize, -+ XT_ALIGN(sizeof(struct xt_portscan_info))); -+ return 0; -+ } -+#endif -+ if((info->match_stealth & ~1) || (info->match_syn & ~1) || -+ (info->match_cn & ~1) || (info->match_gr & ~1)) { -+ printk(KERN_WARNING PFX "Invalid flags\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+static struct xt_match xt_portscan = { -+ .name = "portscan", -+ .match = xt_portscan_match, -+ .checkentry = xt_portscan_checkentry, -+ .matchsize = sizeof(struct xt_portscan_info), -+ .proto = IPPROTO_TCP, -+ .family = AF_INET, -+ .me = THIS_MODULE, -+}; -+ -+static int __init xt_portscan_init(void) -+{ -+ return xt_register_match(&xt_portscan); -+} -+ -+static void __exit xt_portscan_exit(void) -+{ -+ xt_unregister_match(&xt_portscan); -+ return; -+} -+ -+module_init(xt_portscan_init); -+module_exit(xt_portscan_exit); -+MODULE_AUTHOR("Jan Engelhardt "); -+MODULE_DESCRIPTION("netfilter portscan match module"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_portscan"); diff --git a/target/linux/generic-2.6/patches/170-netfilter_chaostables_0.8.patch b/target/linux/generic-2.6/patches/170-netfilter_chaostables_0.8.patch new file mode 100644 index 0000000000..063bcf1e64 --- /dev/null +++ b/target/linux/generic-2.6/patches/170-netfilter_chaostables_0.8.patch @@ -0,0 +1,853 @@ +Index: linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h +@@ -0,0 +1,5 @@ ++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) ++# include ++#else /* linux-2.6.20+ */ ++# include ++#endif +Index: linux-2.6.21.7/include/linux/netfilter/oot_trans.h +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/include/linux/netfilter/oot_trans.h +@@ -0,0 +1,14 @@ ++/* Out of tree workarounds */ ++#include ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) ++# define HAVE_MATCHINFOSIZE 1 ++# define HAVE_TARGUSERINFO 1 ++# define HAVE_TARGINFOSIZE 1 ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) ++# define nfmark mark ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) ++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ ++ tcp_v4_check((tcph_sz), (s), (d), (csp)) ++#endif +Index: linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h +@@ -0,0 +1,14 @@ ++#ifndef _LINUX_NETFILTER_XT_CHAOS_H ++#define _LINUX_NETFILTER_XT_CHAOS_H 1 ++ ++enum xt_chaos_target_variant { ++ XTCHAOS_NORMAL, ++ XTCHAOS_TARPIT, ++ XTCHAOS_DELUDE, ++}; ++ ++struct xt_chaos_target_info { ++ uint8_t variant; ++}; ++ ++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */ +Index: linux-2.6.21.7/include/linux/netfilter/xt_portscan.h +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/include/linux/netfilter/xt_portscan.h +@@ -0,0 +1,8 @@ ++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H ++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1 ++ ++struct xt_portscan_match_info { ++ uint8_t match_stealth, match_syn, match_cn, match_gr; ++}; ++ ++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */ +Index: linux-2.6.21.7/net/netfilter/find_match.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/find_match.c +@@ -0,0 +1,39 @@ ++/* ++ xt_request_find_match ++ by Jan Engelhardt , 2006 - 2007 ++ ++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c: ++ Copyright (C) 2006-2006 Harald Welte ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++*/ ++#include ++#include ++#include ++#include ++ ++/* ++ * Yeah this code is sub-optimal, but the function is missing in ++ * mainline so far. -jengelh ++ */ ++static struct xt_match *xt_request_find_match_lo(int af, const char *name, ++ u8 revision) ++{ ++ static const char *const xt_prefix[] = { ++ [AF_INET] = "ip", ++ [AF_INET6] = "ip6", ++ [NF_ARP] = "arp", ++ }; ++ struct xt_match *match; ++ ++ match = try_then_request_module(xt_find_match(af, name, revision), ++ "%st_%s", xt_prefix[af], name); ++ if (IS_ERR(match) || match == NULL) ++ return NULL; ++ ++ return match; ++} ++ ++/* In case it goes into mainline, let this out-of-tree package compile */ ++#define xt_request_find_match xt_request_find_match_lo +Index: linux-2.6.21.7/net/netfilter/Kconfig +=================================================================== +--- linux-2.6.21.7.orig/net/netfilter/Kconfig ++++ linux-2.6.21.7/net/netfilter/Kconfig +@@ -287,6 +287,14 @@ config NETFILTER_XTABLES + + # alphabetically ordered list of targets + ++config NETFILTER_XT_TARGET_CHAOS ++ tristate '"CHAOS" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `CHAOS' target. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_TARGET_CLASSIFY + tristate '"CLASSIFY" target support' + depends on NETFILTER_XTABLES +@@ -315,6 +323,14 @@ config NETFILTER_XT_TARGET_CONNMARK + . The module will be called + ipt_CONNMARK.o. If unsure, say `N'. + ++config NETFILTER_XT_TARGET_DELUDE ++ tristate '"DELUDE" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `DELUDE' target. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_TARGET_DSCP + tristate '"DSCP" target support' + depends on NETFILTER_XTABLES +@@ -563,6 +579,14 @@ config NETFILTER_XT_MATCH_POLICY + + To compile it as a module, choose M here. If unsure, say N. + ++config NETFILTER_XT_MATCH_PORTSCAN ++ tristate '"portscan" match support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a 'portscan' match support. ++ ++ To compile it as a module, choose M here. If unsure, say N. ++ + config NETFILTER_XT_MATCH_MULTIPORT + tristate "Multiple port match support" + depends on NETFILTER_XTABLES +Index: linux-2.6.21.7/net/netfilter/Makefile +=================================================================== +--- linux-2.6.21.7.orig/net/netfilter/Makefile ++++ linux-2.6.21.7/net/netfilter/Makefile +@@ -47,6 +47,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK + obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o + obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o + obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o + + # matches + obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o +@@ -74,3 +76,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) + obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o + obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o + obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o ++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o +Index: linux-2.6.21.7/net/netfilter/xt_CHAOS.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/xt_CHAOS.c +@@ -0,0 +1,200 @@ ++/* ++ * CHAOS target for netfilter ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#if defined(_LOCAL) ++# include "xt_CHAOS.h" ++# include "find_match.c" ++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \ ++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE) ++# include ++# include "find_match.c" ++#else ++# include "xt_CHAOS.h" ++# include "find_match.c" ++#endif ++#define PFX KBUILD_MODNAME ": " ++ ++/* Module parameters */ ++static unsigned int reject_percentage = ~0U * .01; ++static unsigned int delude_percentage = ~0U * .0101; ++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR); ++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR); ++ ++/* References to other matches/targets */ ++static struct xt_match *xm_tcp; ++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; ++ ++static int have_delude, have_tarpit; ++ ++/* Static data for other matches/targets */ ++static const struct ipt_reject_info reject_params = { ++ .with = ICMP_HOST_UNREACH, ++}; ++ ++static const struct xt_tcp tcp_params = { ++ .spts = {0, ~0}, ++ .dpts = {0, ~0}, ++}; ++ ++/* CHAOS functions */ ++static void xt_chaos_total(const struct xt_chaos_target_info *info, ++ struct sk_buff **pskb, const struct net_device *in, ++ const struct net_device *out, unsigned int hooknum) ++{ ++ const struct iphdr *iph = ip_hdr(*pskb); ++ const int protoff = 4 * iph->ihl; ++ const int offset = ntohs(iph->frag_off) & IP_OFFSET; ++ const struct xt_target *destiny; ++ int hotdrop = 0, ret; ++ ++ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params, ++ offset, protoff, &hotdrop); ++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage) ++ return; ++ ++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; ++ destiny->target(pskb, in, out, hooknum, destiny, NULL); ++ return; ++} ++ ++static unsigned int chaos_tg(struct sk_buff **pskb, ++ const struct net_device *in, const struct net_device *out, ++ unsigned int hooknum, const struct xt_target *target, const void *targinfo) ++{ ++ /* ++ * Equivalent to: ++ * -A chaos -m statistic --mode random --probability \ ++ * $reject_percentage -j REJECT --reject-with host-unreach; ++ * -A chaos -p tcp -m statistic --mode random --probability \ ++ * $delude_percentage -j DELUDE; ++ * -A chaos -j DROP; ++ */ ++ const struct xt_chaos_target_info *info = targinfo; ++ const struct iphdr *iph = ip_hdr(*pskb); ++ ++ if ((unsigned int)net_random() <= reject_percentage) ++ return xt_reject->target(pskb, in, out, hooknum, target, ++ &reject_params); ++ ++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ ++ if (iph->protocol == IPPROTO_TCP && ++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) ++ xt_chaos_total(info, pskb, in, out, hooknum); ++ ++ return NF_DROP; ++} ++ ++static int chaos_tg_check(const char *tablename, const void *entry, ++ const struct xt_target *target, void *targinfo, unsigned int hook_mask) ++{ ++ const struct xt_chaos_target_info *info = targinfo; ++ ++ if (info->variant == XTCHAOS_DELUDE && !have_delude) { ++ printk(KERN_WARNING PFX "Error: Cannot use --delude when " ++ "DELUDE module not available\n"); ++ return false; ++ } ++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) { ++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " ++ "TARPIT module not available\n"); ++ return false; ++ } ++ ++ return true; ++} ++ ++static struct xt_target chaos_tg_reg = { ++ .name = "CHAOS", ++ .family = AF_INET, ++ .table = "filter", ++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | ++ (1 << NF_IP_LOCAL_OUT), ++ .checkentry = chaos_tg_check, ++ .target = chaos_tg, ++ .targetsize = sizeof(struct xt_chaos_target_info), ++ .me = THIS_MODULE, ++}; ++ ++static int __init chaos_tg_init(void) ++{ ++ int ret = -EINVAL; ++ ++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); ++ if (xm_tcp == NULL) { ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"tcp\" match\n"); ++ return -EINVAL; ++ } ++ ++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); ++ if (xt_reject == NULL) { ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"REJECT\" target\n"); ++ goto out2; ++ } ++ ++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); ++ have_tarpit = xt_tarpit != NULL; ++ if (!have_tarpit) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"TARPIT\" target\n"); ++ ++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); ++ have_delude = xt_delude != NULL; ++ if (!have_delude) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"DELUDE\" target\n"); ++ ++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) { ++ printk(KERN_WARNING PFX "xt_register_target returned " ++ "error %d\n", ret); ++ goto out3; ++ } ++ ++ return 0; ++ ++ out3: ++ if (have_delude) ++ module_put(xt_delude->me); ++ if (have_tarpit) ++ module_put(xt_tarpit->me); ++ module_put(xt_reject->me); ++ out2: ++ module_put(xm_tcp->me); ++ return ret; ++} ++ ++static void __exit chaos_tg_exit(void) ++{ ++ xt_unregister_target(&chaos_tg_reg); ++ module_put(xm_tcp->me); ++ module_put(xt_reject->me); ++ if (have_delude) ++ module_put(xt_delude->me); ++ if (have_tarpit) ++ module_put(xt_tarpit->me); ++ return; ++} ++ ++module_init(chaos_tg_init); ++module_exit(chaos_tg_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"CHAOS\" target"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_CHAOS"); +Index: linux-2.6.21.7/net/netfilter/xt_DELUDE.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/xt_DELUDE.c +@@ -0,0 +1,197 @@ ++/* ++ * DELUDE target ++ * Copyright © CC Computer Consultants GmbH, 2007 ++ * Contact: Jan Engelhardt ++ * ++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: ++ * (C) 1999-2001 Paul `Rusty' Russell ++ * (C) 2002-2004 Netfilter Core Team ++ * ++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#ifdef CONFIG_BRIDGE_NETFILTER ++# include ++#endif ++#include ++#define PFX KBUILD_MODNAME ": " ++ ++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook) ++{ ++ struct tcphdr _otcph, *oth, *tcph; ++ unsigned int addr_type; ++ struct sk_buff *nskb; ++ u_int16_t tmp_port; ++ u_int32_t tmp_addr; ++ struct iphdr *niph; ++ bool needs_ack; ++ ++ /* IP header checks: fragment. */ ++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) ++ return; ++ ++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), ++ sizeof(_otcph), &_otcph); ++ if (oth == NULL) ++ return; ++ ++ /* No RST for RST. */ ++ if (oth->rst) ++ return; ++ ++ /* Check checksum */ ++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) ++ return; ++ ++ /* We need a linear, writeable skb. We also need to expand ++ headroom in case hh_len of incoming interface < hh_len of ++ outgoing interface */ ++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), ++ GFP_ATOMIC); ++ if (!nskb) ++ return; ++ ++ /* This packet will not be the same as the other: clear nf fields */ ++ nf_reset(nskb); ++ nskb->mark = 0; ++ skb_init_secmark(nskb); ++ ++ skb_shinfo(nskb)->gso_size = 0; ++ skb_shinfo(nskb)->gso_segs = 0; ++ skb_shinfo(nskb)->gso_type = 0; ++ ++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb)); ++ ++ /* Swap source and dest */ ++ niph = ip_hdr(nskb); ++ tmp_addr = niph->saddr; ++ niph->saddr = niph->daddr; ++ niph->daddr = tmp_addr; ++ tmp_port = tcph->source; ++ tcph->source = tcph->dest; ++ tcph->dest = tmp_port; ++ ++ /* Truncate to length (no data) */ ++ tcph->doff = sizeof(struct tcphdr) / 4; ++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); ++ niph->tot_len = htons(nskb->len); ++ ++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) { ++ /* DELUDE essential part */ ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + ++ oldskb->len - ip_hdrlen(oldskb) - ++ (oth->doff << 2)); ++ tcph->seq = false; ++ tcph->ack = true; ++ } else { ++ if (!tcph->ack) { ++ needs_ack = true; ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + ++ oth->fin + oldskb->len - ++ ip_hdrlen(oldskb) - (oth->doff<<2)); ++ tcph->seq = false; ++ } else { ++ needs_ack = false; ++ tcph->seq = oth->ack_seq; ++ tcph->ack_seq = false; ++ } ++ ++ /* Reset flags */ ++ ((u_int8_t *)tcph)[13] = 0; ++ tcph->rst = true; ++ tcph->ack = needs_ack; ++ } ++ ++ tcph->window = 0; ++ tcph->urg_ptr = 0; ++ ++ /* Adjust TCP checksum */ ++ tcph->check = 0; ++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr, ++ niph->daddr, csum_partial((char *)tcph, ++ sizeof(struct tcphdr), 0)); ++ ++ /* Set DF, id = 0 */ ++ niph->frag_off = htons(IP_DF); ++ niph->id = 0; ++ ++ addr_type = RTN_UNSPEC; ++#ifdef CONFIG_BRIDGE_NETFILTER ++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL && ++ nskb->nf_bridge->mask & BRNF_BRIDGED)) ++#else ++ if (hook != NF_IP_FORWARD) ++#endif ++ addr_type = RTN_LOCAL; ++ ++ if (ip_route_me_harder(&nskb, addr_type)) ++ goto free_nskb; ++ ++ nskb->ip_summed = CHECKSUM_NONE; ++ ++ /* Adjust IP TTL */ ++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); ++ ++ /* Adjust IP checksum */ ++ niph->check = 0; ++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl); ++ ++ /* "Never happens" */ ++ if (nskb->len > dst_mtu(nskb->dst)) ++ goto free_nskb; ++ ++ nf_ct_attach(nskb, oldskb); ++ ++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev, ++ dst_output); ++ return; ++ ++ free_nskb: ++ kfree_skb(nskb); ++} ++ ++static unsigned int delude_tg(struct sk_buff **pskb, ++ const struct net_device *in, const struct net_device *out, ++ unsigned int hooknum, const struct xt_target *target, const void *targinfo) ++{ ++ /* WARNING: This code causes reentry within iptables. ++ This means that the iptables jump stack is now crap. We ++ must return an absolute verdict. --RR */ ++ delude_send_reset(*pskb, hooknum); ++ return NF_DROP; ++} ++ ++static struct xt_target delude_tg_reg = { ++ .name = "DELUDE", ++ .family = AF_INET, ++ .table = "filter", ++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD), ++ .target = delude_tg, ++ .proto = IPPROTO_TCP, ++ .me = THIS_MODULE, ++}; ++ ++static int __init delude_tg_init(void) ++{ ++ return xt_register_target(&delude_tg_reg); ++} ++ ++static void __exit delude_tg_exit(void) ++{ ++ xt_unregister_target(&delude_tg_reg); ++} ++ ++module_init(delude_tg_init); ++module_exit(delude_tg_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"DELUDE\" target"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_DELUDE"); +Index: linux-2.6.21.7/net/netfilter/xt_portscan.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/xt_portscan.c +@@ -0,0 +1,269 @@ ++/* ++ * portscan match for netfilter ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#if defined(_LOCAL) ++# include "xt_portscan.h" ++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \ ++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE) ++# include ++#else ++# include "xt_portscan.h" ++#endif ++#define PFX KBUILD_MODNAME ": " ++ ++enum { ++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, ++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK, ++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG, ++}; ++ ++/* Module parameters */ ++static unsigned int ++ connmark_mask = ~0, ++ packet_mask = ~0, ++ mark_seen = 0x9, ++ mark_synrcv = 0x1, ++ mark_closed = 0x2, ++ mark_synscan = 0x3, ++ mark_estab1 = 0x4, ++ mark_estab2 = 0x5, ++ mark_cnscan = 0x6, ++ mark_grscan = 0x7, ++ mark_valid = 0x8; ++ ++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR); ++module_param(packet_mask, uint, S_IRUGO | S_IWUSR); ++module_param(mark_seen, uint, S_IRUGO | S_IWUSR); ++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR); ++module_param(mark_closed, uint, S_IRUGO | S_IWUSR); ++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR); ++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR); ++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR); ++module_param(mark_valid, uint, S_IRUGO | S_IWUSR); ++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark"); ++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark"); ++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state"); ++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state"); ++MODULE_PARM_DESC(mark_closed, "connmark value for closed state"); ++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state"); ++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state"); ++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state"); ++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state"); ++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state"); ++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state"); ++ ++/* TCP flag functions */ ++static inline bool tflg_ack4(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK; ++} ++ ++static inline bool tflg_ack6(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK; ++} ++ ++static inline bool tflg_fin(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN; ++} ++ ++static inline bool tflg_rst(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST; ++} ++ ++static inline bool tflg_rstack(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == ++ (TCP_FLAG_ACK | TCP_FLAG_RST); ++} ++ ++static inline bool tflg_syn(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN; ++} ++ ++static inline bool tflg_synack(const struct tcphdr *th) ++{ ++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == ++ (TCP_FLAG_SYN | TCP_FLAG_ACK); ++} ++ ++/* portscan functions */ ++static inline bool portscan_mt_stealth(const struct tcphdr *th) ++{ ++ /* ++ * "Connection refused" replies to our own probes must not be matched. ++ */ ++ if (tflg_rstack(th)) ++ return false; ++ ++ if (tflg_rst(th) && printk_ratelimit()) { ++ printk(KERN_WARNING PFX "Warning: Pure RST received\n"); ++ return false; ++ } ++ ++ /* ++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start ++ * packets that are not associated with any connection -- this will ++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag ++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.). ++ */ ++ return !tflg_syn(th); ++} ++ ++static inline unsigned int portscan_mt_full(int mark, ++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph, ++ unsigned int payload_len) ++{ ++ if (mark == mark_estab2) { ++ /* ++ * -m connmark --mark $ESTAB2 ++ */ ++ if (tflg_ack4(tcph) && payload_len == 0) ++ return mark; /* keep mark */ ++ else if (tflg_rst(tcph) || tflg_fin(tcph)) ++ return mark_grscan; ++ else ++ return mark_valid; ++ } else if (mark == mark_estab1) { ++ /* ++ * -m connmark --mark $ESTAB1 ++ */ ++ if (tflg_rst(tcph) || tflg_fin(tcph)) ++ return mark_cnscan; ++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0) ++ return mark_estab2; ++ else ++ return mark_valid; ++ } else if (mark == mark_synrcv) { ++ /* ++ * -m connmark --mark $SYN ++ */ ++ if (loopback && tflg_synack(tcph)) ++ return mark; /* keep mark */ ++ else if (loopback && tflg_rstack(tcph)) ++ return mark_closed; ++ else if (tflg_ack6(tcph)) ++ return mark_estab1; ++ else ++ return mark_synscan; ++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) { ++ /* ++ * -p tcp --syn --ctstate NEW ++ */ ++ return mark_synrcv; ++ } ++ return mark; ++} ++ ++static int portscan_mt(const struct sk_buff *skb, ++ const struct net_device *in, const struct net_device *out, ++ const struct xt_match *match, const void *matchinfo, int offset, ++ unsigned int protoff, int *hotdrop) ++{ ++ const struct xt_portscan_match_info *info = matchinfo; ++ enum ip_conntrack_info ctstate; ++ const struct tcphdr *tcph; ++ struct nf_conn *ctdata; ++ struct tcphdr tcph_buf; ++ ++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); ++ if (tcph == NULL) ++ return false; ++ ++ /* Check for invalid packets: -m conntrack --ctstate INVALID */ ++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { ++ if (info->match_stealth) ++ return portscan_mt_stealth(tcph); ++ /* ++ * If @ctdata is NULL, we cannot match the other scan ++ * types, return. ++ */ ++ return false; ++ } ++ ++ /* ++ * If -m portscan was previously applied to this packet, the rules we ++ * simulate must not be run through again. And for speedup, do not call ++ * it either when the connection is already VALID. ++ */ ++ if ((ctdata->mark & connmark_mask) == mark_valid || ++ (skb->mark & packet_mask) != mark_seen) { ++ unsigned int n; ++ ++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate, ++ in == &loopback_dev, tcph, ++ skb->len - protoff - 4 * tcph->doff); ++ ++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; ++ ((struct sk_buff *)skb)->mark = ++ (skb->mark & ~packet_mask) ^ mark_seen; ++ } ++ ++ return (info->match_syn && ctdata->mark == mark_synscan) || ++ (info->match_cn && ctdata->mark == mark_cnscan) || ++ (info->match_gr && ctdata->mark == mark_grscan); ++} ++ ++static int portscan_mt_check(const char *tablename, const void *entry, ++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask) ++{ ++ const struct xt_portscan_match_info *info = matchinfo; ++ ++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) || ++ (info->match_cn & ~1) || (info->match_gr & ~1)) { ++ printk(KERN_WARNING PFX "Invalid flags\n"); ++ return false; ++ } ++ return true; ++} ++ ++static struct xt_match portscan_mt_reg __read_mostly = { ++ .name = "portscan", ++ .family = AF_INET, ++ .match = portscan_mt, ++ .checkentry = portscan_mt_check, ++ .matchsize = sizeof(struct xt_portscan_match_info), ++ .proto = IPPROTO_TCP, ++ .me = THIS_MODULE, ++}; ++ ++static int __init portscan_mt_init(void) ++{ ++ return xt_register_match(&portscan_mt_reg); ++} ++ ++static void __exit portscan_mt_exit(void) ++{ ++ xt_unregister_match(&portscan_mt_reg); ++ return; ++} ++ ++module_init(portscan_mt_init); ++module_exit(portscan_mt_exit); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_DESCRIPTION("netfilter \"portscan\" match"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_portscan"); diff --git a/target/linux/generic-2.6/patches/171-netfilter_tarpit.patch b/target/linux/generic-2.6/patches/171-netfilter_tarpit.patch new file mode 100644 index 0000000000..a686bd3d6f --- /dev/null +++ b/target/linux/generic-2.6/patches/171-netfilter_tarpit.patch @@ -0,0 +1,325 @@ +Index: linux-2.6.21.7/net/netfilter/Kconfig +=================================================================== +--- linux-2.6.21.7.orig/net/netfilter/Kconfig ++++ linux-2.6.21.7/net/netfilter/Kconfig +@@ -414,6 +414,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK + + To compile it as a module, choose M here. If unsure, say N. + ++config NETFILTER_XT_TARGET_TARPIT ++ tristate '"TARPIT" target support' ++ depends on NETFILTER_XTABLES ++ ---help--- ++ Adds a TARPIT target to iptables, which captures and holds ++ incoming TCP connections using no local per-connection resources. ++ Connections are accepted, but immediately switched to the persist ++ state (0 byte window), in which the remote side stops sending data ++ and asks to continue every 60-240 seconds. Attempts to close the ++ connection are ignored, forcing the remote side to time out the ++ connection in 12-24 minutes. ++ ++ This offers similar functionality to LaBrea ++ , but does not require dedicated ++ hardware or IPs. Any TCP port that you would normally DROP or REJECT ++ can instead become a tarpit. ++ + config NETFILTER_XT_TARGET_TCPMSS + tristate '"TCPMSS" target support' + depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) +Index: linux-2.6.21.7/net/netfilter/Makefile +=================================================================== +--- linux-2.6.21.7.orig/net/netfilter/Makefile ++++ linux-2.6.21.7/net/netfilter/Makefile +@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE + obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o + obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o + obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o ++obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o + obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o + obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o + obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o +Index: linux-2.6.21.7/net/netfilter/xt_TARPIT.c +=================================================================== +--- /dev/null ++++ linux-2.6.21.7/net/netfilter/xt_TARPIT.c +@@ -0,0 +1,280 @@ ++/* ++ * Kernel module to capture and hold incoming TCP connections using ++ * no local per-connection resources. ++ * ++ * Based on ipt_REJECT.c and offering functionality similar to ++ * LaBrea . ++ * ++ * Copyright (c) 2002 Aaron Hopkins ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ * ++ * Goal: ++ * - Allow incoming TCP connections to be established. ++ * - Passing data should result in the connection being switched to the ++ * persist state (0 byte window), in which the remote side stops sending ++ * data and asks to continue every 60 seconds. ++ * - Attempts to shut down the connection should be ignored completely, so ++ * the remote side ends up having to time it out. ++ * ++ * This means: ++ * - Reply to TCP SYN,!ACK,!RST,!FIN with SYN-ACK, window 5 bytes ++ * - Reply to TCP SYN,ACK,!RST,!FIN with RST to prevent spoofing ++ * - Reply to TCP !SYN,!RST,!FIN with ACK, window 0 bytes, rate-limited ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++struct in_device; ++#include ++#include ++#include ++ ++#if 0 ++#define DEBUGP printk ++#else ++#define DEBUGP(format, args...) ++#endif ++ ++/* Stolen from ip_finish_output2 */ ++static int ip_direct_send(struct sk_buff *skb) ++{ ++ struct dst_entry *dst = skb->dst; ++ ++ if (dst->hh != NULL) ++ return neigh_hh_output(dst->hh, skb); ++ else if (dst->neighbour != NULL) ++ return dst->neighbour->output(skb); ++ ++ if (net_ratelimit()) ++ printk(KERN_DEBUG "TARPIT ip_direct_send: no header cache and no neighbor!\n"); ++ ++ kfree_skb(skb); ++ return -EINVAL; ++} ++ ++ ++/* Send reply */ ++static void tarpit_tcp(const struct sk_buff *oskb, struct rtable *ort, ++ unsigned int local) ++{ ++ struct sk_buff *nskb; ++ struct rtable *nrt; ++ struct tcphdr *otcph, *ntcph; ++ struct flowi fl = {}; ++ unsigned int otcplen; ++ u_int16_t tmp; ++ ++ const struct iphdr *oiph = ip_hdr(oskb); ++ struct iphdr *niph; ++ ++ /* A truncated TCP header is not going to be useful */ ++ if (oskb->len < ip_hdrlen(oskb) + sizeof(struct tcphdr)) ++ return; ++ ++ otcph = (void *)oiph + ip_hdrlen(oskb); ++ otcplen = oskb->len - ip_hdrlen(oskb); ++ ++ /* No replies for RST or FIN */ ++ if (otcph->rst || otcph->fin) ++ return; ++ ++ /* No reply to !SYN,!ACK. Rate-limit replies to !SYN,ACKs */ ++ if (!otcph->syn && (!otcph->ack || !xrlim_allow(&ort->u.dst, 1*HZ))) ++ return; ++ ++ /* Check checksum. */ ++ if (tcp_v4_check(otcplen, oiph->saddr, oiph->daddr, ++ csum_partial((char *)otcph, otcplen, 0)) != 0) ++ return; ++ ++ /* ++ * Copy skb (even if skb is about to be dropped, we cannot just ++ * clone it because there may be other things, such as tcpdump, ++ * interested in it) ++ */ ++ nskb = skb_copy(oskb, GFP_ATOMIC); ++ if (nskb == NULL) ++ return; ++ ++ niph = ip_hdr(nskb); ++ ++ /* This packet will not be the same as the other: clear nf fields */ ++ nf_conntrack_put(nskb->nfct); ++ nskb->nfct = NULL; ++#ifdef CONFIG_NETFILTER_DEBUG ++ nskb->nf_debug = 0; ++#endif ++ ++ ntcph = (void *)niph + ip_hdrlen(nskb); ++ ++ /* Truncate to length (no data) */ ++ ntcph->doff = sizeof(struct tcphdr)/4; ++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); ++ niph->tot_len = htons(nskb->len); ++ ++ /* Swap source and dest */ ++ niph->daddr = xchg(&niph->saddr, niph->daddr); ++ tmp = ntcph->source; ++ ntcph->source = ntcph->dest; ++ ntcph->dest = tmp; ++ ++ /* Use supplied sequence number or make a new one */ ++ ntcph->seq = otcph->ack ? otcph->ack_seq ++ : htonl(secure_tcp_sequence_number(niph->saddr, ++ niph->daddr, ++ ntcph->source, ++ ntcph->dest)); ++ ++ /* Our SYN-ACKs must have a >0 window */ ++ ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0; ++ ++ ntcph->urg_ptr = 0; ++ ++ /* Reset flags */ ++ ((u_int8_t *)ntcph)[13] = 0; ++ ++ if (otcph->syn && otcph->ack) { ++ ntcph->rst = 1; ++ ntcph->ack_seq = 0; ++ } else { ++ ntcph->syn = otcph->syn; ++ ntcph->ack = 1; ++ ntcph->ack_seq = htonl(ntohl(otcph->seq) + otcph->syn); ++ } ++ ++ /* Adjust TCP checksum */ ++ ntcph->check = 0; ++ ntcph->check = tcp_v4_check(sizeof(struct tcphdr), ++ niph->saddr, ++ niph->daddr, ++ csum_partial((char *)ntcph, ++ sizeof(struct tcphdr), 0)); ++ ++ fl.nl_u.ip4_u.daddr = niph->daddr; ++ fl.nl_u.ip4_u.saddr = local ? niph->saddr : 0; ++ fl.nl_u.ip4_u.tos = RT_TOS(niph->tos) | RTO_CONN; ++ fl.oif = 0; ++ ++ if (ip_route_output_key(&nrt, &fl)) ++ goto free_nskb; ++ ++ dst_release(nskb->dst); ++ nskb->dst = &nrt->u.dst; ++ ++ /* Adjust IP TTL */ ++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); ++ ++ /* Set DF, id = 0 */ ++ niph->frag_off = htons(IP_DF); ++ niph->id = 0; ++ ++ /* Adjust IP checksum */ ++ niph->check = 0; ++ niph->check = ip_fast_csum((unsigned char *)niph, niph->ihl); ++ ++ /* "Never happens" */ ++ if (nskb->len > dst_mtu(nskb->dst)) ++ goto free_nskb; ++ ++ ip_direct_send(nskb); ++ return; ++ ++ free_nskb: ++ kfree_skb(nskb); ++} ++ ++static unsigned int xt_tarpit_target(struct sk_buff **pskb, ++ const struct net_device *in, ++ const struct net_device *out, ++ unsigned int hooknum, ++ const struct xt_target *target, ++ const void *targinfo) ++{ ++ const struct sk_buff *skb = *pskb; ++ const struct iphdr *iph = ip_hdr(skb); ++ struct rtable *rt = (void *)skb->dst; ++ ++ /* Do we have an input route cache entry? */ ++ if (rt == NULL) ++ return NF_DROP; ++ ++ /* No replies to physical multicast/broadcast */ ++ if (skb->pkt_type != PACKET_HOST && skb->pkt_type != PACKET_OTHERHOST) ++ return NF_DROP; ++ ++ /* Now check at the protocol level */ ++ if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) ++ return NF_DROP; ++ ++ /* ++ * Our naive response construction does not deal with IP ++ * options, and probably should not try. ++ */ ++ if (iph->ihl * 4 != sizeof(struct iphdr)) ++ return NF_DROP; ++ ++ /* We are not interested in fragments */ ++ if (iph->frag_off & htons(IP_OFFSET)) ++ return NF_DROP; ++ ++ tarpit_tcp(skb, rt, hooknum == NF_IP_LOCAL_IN); ++ return NF_DROP; ++} ++ ++static int xt_tarpit_check(const char *tablename, const void *entry, ++ const struct xt_target *target, void *targinfo, ++ unsigned int hook_mask) ++{ ++ bool invalid; ++ ++ if (strcmp(tablename, "raw") == 0 && hook_mask == NF_IP_PRE_ROUTING) ++ return true; ++ if (strcmp(tablename, "filter") != 0) ++ return false; ++ invalid = hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD)); ++ return !invalid; ++} ++ ++static struct xt_target xt_tarpit_reg = { ++ .name = "TARPIT", ++ .family = AF_INET, ++ .proto = IPPROTO_TCP, ++ .target = xt_tarpit_target, ++ .checkentry = xt_tarpit_check, ++ .me = THIS_MODULE, ++}; ++ ++static int __init xt_tarpit_init(void) ++{ ++ return xt_register_target(&xt_tarpit_reg); ++} ++ ++static void __exit xt_tarpit_exit(void) ++{ ++ xt_unregister_target(&xt_tarpit_reg); ++} ++ ++module_init(xt_tarpit_init); ++module_exit(xt_tarpit_exit); ++MODULE_DESCRIPTION("netfilter xt_TARPIT target module"); ++MODULE_AUTHOR("Jan Engelhardt "); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_TARPIT"); diff --git a/target/linux/generic-2.6/patches/999-backport_ip_hdr_and_friends.patch b/target/linux/generic-2.6/patches/999-backport_ip_hdr_and_friends.patch new file mode 100644 index 0000000000..bb8f4f3342 --- /dev/null +++ b/target/linux/generic-2.6/patches/999-backport_ip_hdr_and_friends.patch @@ -0,0 +1,58 @@ +Index: linux-2.6.21.7/include/linux/ip.h +=================================================================== +--- linux-2.6.21.7.orig/include/linux/ip.h ++++ linux-2.6.21.7/include/linux/ip.h +@@ -104,6 +104,16 @@ struct iphdr { + /*The options start here. */ + }; + ++#ifdef __KERNEL__ ++#include ++ ++static inline struct iphdr *ip_hdr(const struct sk_buff *skb) ++{ ++ return (struct iphdr *)skb_network_header(skb); ++} ++ ++#endif ++ + struct ip_auth_hdr { + __u8 nexthdr; + __u8 hdrlen; /* This one is measured in 32 bit units! */ +Index: linux-2.6.21.7/include/linux/skbuff.h +=================================================================== +--- linux-2.6.21.7.orig/include/linux/skbuff.h ++++ linux-2.6.21.7/include/linux/skbuff.h +@@ -966,6 +966,16 @@ static inline void skb_reserve(struct sk + skb->tail += len; + } + ++static inline unsigned char *skb_network_header(const struct sk_buff *skb) ++{ ++ return skb->nh.raw; ++} ++ ++static inline unsigned char *skb_tail_pointer(const struct sk_buff *skb) ++{ ++ return skb->tail; ++} ++ + /* + * CPUs often take a performance hit when accessing unaligned memory + * locations. The actual performance hit varies, it can be small if the +Index: linux-2.6.21.7/include/net/ip.h +=================================================================== +--- linux-2.6.21.7.orig/include/net/ip.h ++++ linux-2.6.21.7/include/net/ip.h +@@ -43,6 +43,11 @@ struct inet_skb_parm + #define IPSKB_REROUTED 16 + }; + ++static inline unsigned int ip_hdrlen(const struct sk_buff *skb) ++{ ++ return ip_hdr(skb)->ihl * 4; ++} ++ + struct ipcm_cookie + { + __be32 addr;