From 2a473ebe19c315691118f66e0f64617884f5a3f6 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 19 Feb 2010 21:25:40 +0000 Subject: [PATCH] iptables: fix multiport match for brcm-2.4 Since the netfilter framework in Linux 2.4 lacks support for target and match revisioning, iptables falls back to the v0 implementation of multiport while only v1 is implemented on the kernel side, leading to an invalid argument error when trying to insert rules using multiport. This patch removes v0 support from the userspace match library to enforce the usage of the v1 match implementation. SVN-Revision: 19761 --- .../010-multiport-linux-2.4-compat.patch | 265 ++++++++++++++++++ 1 file changed, 265 insertions(+) create mode 100644 package/iptables/patches/010-multiport-linux-2.4-compat.patch diff --git a/package/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/iptables/patches/010-multiport-linux-2.4-compat.patch new file mode 100644 index 0000000000..7233d3aeb2 --- /dev/null +++ b/package/iptables/patches/010-multiport-linux-2.4-compat.patch @@ -0,0 +1,265 @@ +--- a/extensions/libxt_multiport.c ++++ b/extensions/libxt_multiport.c +@@ -14,21 +14,6 @@ + #include + + /* Function which prints out usage message. */ +-static void multiport_help(void) +-{ +- printf( +-"multiport match options:\n" +-" --source-ports port[,port,port...]\n" +-" --sports ...\n" +-" match source port(s)\n" +-" --destination-ports port[,port,port...]\n" +-" --dports ...\n" +-" match destination port(s)\n" +-" --ports port[,port,port]\n" +-" match both source and destination port(s)\n" +-" NOTE: this kernel does not support port ranges in multiport.\n"); +-} +- + static void multiport_help_v1(void) + { + printf( +@@ -71,26 +56,6 @@ + } + } + +-static unsigned int +-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) +-{ +- char *buffer, *cp, *next; +- unsigned int i; +- +- buffer = strdup(portstring); +- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); +- +- for (cp=buffer, i=0; cp && idata; +- +- switch (c) { +- case '1': +- xtables_check_inverse(optarg, &invert, &optind, 0, argv); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(optarg, +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_SOURCE; +- break; +- +- case '2': +- xtables_check_inverse(optarg, &invert, &optind, 0, argv); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(optarg, +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_DESTINATION; +- break; +- +- case '3': +- xtables_check_inverse(optarg, &invert, &optind, 0, argv); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(optarg, +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_EITHER; +- break; +- +- default: +- return 0; +- } +- +- if (invert) +- xtables_error(PARAMETER_PROBLEM, +- "multiport does not support invert"); +- +- if (*flags) +- xtables_error(PARAMETER_PROBLEM, +- "multiport can only have one option"); +- *flags = 1; +- return 1; +-} +- +-static int +-multiport_parse(int c, char **argv, int invert, unsigned int *flags, +- const void *e, struct xt_entry_match **match) +-{ +- const struct ipt_entry *entry = e; +- return __multiport_parse(c, argv, invert, flags, match, +- entry->ip.proto, entry->ip.invflags); +-} +- +-static int +-multiport_parse6(int c, char **argv, int invert, unsigned int *flags, +- const void *e, struct xt_entry_match **match) +-{ +- const struct ip6t_entry *entry = e; +- return __multiport_parse(c, argv, invert, flags, match, +- entry->ipv6.proto, entry->ipv6.invflags); +-} +- +-static int + __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags, + struct xt_entry_match **match, u_int16_t pnum, + u_int8_t invflags) +@@ -313,55 +211,6 @@ + } + + /* Prints out the matchinfo. */ +-static void +-__multiport_print(const struct xt_entry_match *match, int numeric, +- u_int16_t proto) +-{ +- const struct xt_multiport *multiinfo +- = (const struct xt_multiport *)match->data; +- unsigned int i; +- +- printf("multiport "); +- +- switch (multiinfo->flags) { +- case XT_MULTIPORT_SOURCE: +- printf("sports "); +- break; +- +- case XT_MULTIPORT_DESTINATION: +- printf("dports "); +- break; +- +- case XT_MULTIPORT_EITHER: +- printf("ports "); +- break; +- +- default: +- printf("ERROR "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], proto, numeric); +- } +- printf(" "); +-} +- +-static void multiport_print(const void *ip_void, +- const struct xt_entry_match *match, int numeric) +-{ +- const struct ipt_ip *ip = ip_void; +- __multiport_print(match, numeric, ip->proto); +-} +- +-static void multiport_print6(const void *ip_void, +- const struct xt_entry_match *match, int numeric) +-{ +- const struct ip6t_ip6 *ip = ip_void; +- __multiport_print(match, numeric, ip->proto); +-} +- + static void __multiport_print_v1(const struct xt_entry_match *match, + int numeric, u_int16_t proto) + { +@@ -418,48 +267,6 @@ + } + + /* Saves the union ipt_matchinfo in parsable form to stdout. */ +-static void __multiport_save(const struct xt_entry_match *match, +- u_int16_t proto) +-{ +- const struct xt_multiport *multiinfo +- = (const struct xt_multiport *)match->data; +- unsigned int i; +- +- switch (multiinfo->flags) { +- case XT_MULTIPORT_SOURCE: +- printf("--sports "); +- break; +- +- case XT_MULTIPORT_DESTINATION: +- printf("--dports "); +- break; +- +- case XT_MULTIPORT_EITHER: +- printf("--ports "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], proto, 1); +- } +- printf(" "); +-} +- +-static void multiport_save(const void *ip_void, +- const struct xt_entry_match *match) +-{ +- const struct ipt_ip *ip = ip_void; +- __multiport_save(match, ip->proto); +-} +- +-static void multiport_save6(const void *ip_void, +- const struct xt_entry_match *match) +-{ +- const struct ip6t_ip6 *ip = ip_void; +- __multiport_save(match, ip->proto); +-} +- + static void __multiport_save_v1(const struct xt_entry_match *match, + u_int16_t proto) + { +@@ -513,34 +320,6 @@ + { + .family = NFPROTO_IPV4, + .name = "multiport", +- .revision = 0, +- .version = XTABLES_VERSION, +- .size = XT_ALIGN(sizeof(struct xt_multiport)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), +- .help = multiport_help, +- .parse = multiport_parse, +- .final_check = multiport_check, +- .print = multiport_print, +- .save = multiport_save, +- .extra_opts = multiport_opts, +- }, +- { +- .family = NFPROTO_IPV6, +- .name = "multiport", +- .revision = 0, +- .version = XTABLES_VERSION, +- .size = XT_ALIGN(sizeof(struct xt_multiport)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), +- .help = multiport_help, +- .parse = multiport_parse6, +- .final_check = multiport_check, +- .print = multiport_print6, +- .save = multiport_save6, +- .extra_opts = multiport_opts, +- }, +- { +- .family = NFPROTO_IPV4, +- .name = "multiport", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), -- 2.30.2