openwrt-owl/obsolete-buildroot/sources/openwrt-linux-netfilter.patch

5824 lines
177 KiB
Diff

diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h 2003-08-12 07:43:11.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack.h 2004-05-09 04:13:03.000000000 -0400
@@ -45,39 +45,27 @@
#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
#include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
/* per conntrack: protocol private data */
union ip_conntrack_proto {
/* insert conntrack proto private data here */
- struct ip_ct_gre gre;
struct ip_ct_tcp tcp;
struct ip_ct_icmp icmp;
};
union ip_conntrack_expect_proto {
/* insert expect proto private data here */
- struct ip_ct_gre_expect gre;
};
/* Add protocol helper include file here */
-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
-#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
-
#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
#include <linux/netfilter_ipv4/ip_conntrack_irc.h>
-#include <linux/netfilter_ipv4/ip_autofw.h>
/* per expectation: application helper private data */
union ip_conntrack_expect_help {
/* insert conntrack helper private data (expect) here */
- struct ip_ct_pptp_expect exp_pptp_info;
- struct ip_ct_mms_expect exp_mms_info;
- struct ip_ct_h225_expect exp_h225_info;
struct ip_ct_ftp_expect exp_ftp_info;
struct ip_ct_irc_expect exp_irc_info;
- struct ip_autofw_expect exp_autofw_info;
#ifdef CONFIG_IP_NF_NAT_NEEDED
union {
@@ -89,21 +77,16 @@
/* per conntrack: application helper private data */
union ip_conntrack_help {
/* insert conntrack helper private data (master) here */
- struct ip_ct_pptp_master ct_pptp_info;
- struct ip_ct_mms_master ct_mms_info;
- struct ip_ct_h225_master ct_h225_info;
struct ip_ct_ftp_master ct_ftp_info;
struct ip_ct_irc_master ct_irc_info;
};
#ifdef CONFIG_IP_NF_NAT_NEEDED
#include <linux/netfilter_ipv4/ip_nat.h>
-#include <linux/netfilter_ipv4/ip_nat_pptp.h>
/* per conntrack: nat application helper private data */
union ip_conntrack_nat_help {
/* insert nat helper private data here */
- struct ip_nat_pptp nat_pptp_info;
};
#endif
@@ -275,9 +258,5 @@
}
extern unsigned int ip_conntrack_htable_size;
-
-/* connection tracking time out variables. */
-extern int sysctl_ip_conntrack_tcp_timeouts[10];
-extern int sysctl_ip_conntrack_udp_timeouts[2];
#endif /* __KERNEL__ */
#endif /* _IP_CONNTRACK_H */
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_h323.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_h323.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,30 +0,0 @@
-#ifndef _IP_CONNTRACK_H323_H
-#define _IP_CONNTRACK_H323_H
-/* H.323 connection tracking. */
-
-#ifdef __KERNEL__
-/* Protects H.323 related data */
-DECLARE_LOCK_EXTERN(ip_h323_lock);
-#endif
-
-/* Default H.225 port */
-#define H225_PORT 1720
-
-/* This structure is per expected connection */
-struct ip_ct_h225_expect {
- u_int16_t port; /* Port of the H.225 helper/RTCP/RTP channel */
- enum ip_conntrack_dir dir; /* Direction of the original connection */
- unsigned int offset; /* offset of the address in the payload */
-};
-
-/* This structure exists only once per master */
-struct ip_ct_h225_master {
- int is_h225; /* H.225 or H.245 connection */
-#ifdef CONFIG_IP_NF_NAT_NEEDED
- enum ip_conntrack_dir dir; /* Direction of the original connection */
- u_int32_t seq[IP_CT_DIR_MAX]; /* Exceptional packet mangling for signal addressess... */
- unsigned int offset[IP_CT_DIR_MAX]; /* ...and the offset of the addresses in the payload */
-#endif
-};
-
-#endif /* _IP_CONNTRACK_H323_H */
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_mms.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_mms.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,31 +0,0 @@
-#ifndef _IP_CONNTRACK_MMS_H
-#define _IP_CONNTRACK_MMS_H
-/* MMS tracking. */
-
-#ifdef __KERNEL__
-#include <linux/netfilter_ipv4/lockhelp.h>
-
-DECLARE_LOCK_EXTERN(ip_mms_lock);
-
-#define MMS_PORT 1755
-#define MMS_SRV_MSG_ID 196610
-
-#define MMS_SRV_MSG_OFFSET 36
-#define MMS_SRV_UNICODE_STRING_OFFSET 60
-#define MMS_SRV_CHUNKLENLV_OFFSET 16
-#define MMS_SRV_CHUNKLENLM_OFFSET 32
-#define MMS_SRV_MESSAGELENGTH_OFFSET 8
-#endif
-
-/* This structure is per expected connection */
-struct ip_ct_mms_expect {
- u_int32_t len;
- u_int32_t padding;
- u_int16_t port;
-};
-
-/* This structure exists only once per master */
-struct ip_ct_mms_master {
-};
-
-#endif /* _IP_CONNTRACK_MMS_H */
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_pptp.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,313 +0,0 @@
-/* PPTP constants and structs */
-#ifndef _CONNTRACK_PPTP_H
-#define _CONNTRACK_PPTP_H
-
-/* state of the control session */
-enum pptp_ctrlsess_state {
- PPTP_SESSION_NONE, /* no session present */
- PPTP_SESSION_ERROR, /* some session error */
- PPTP_SESSION_STOPREQ, /* stop_sess request seen */
- PPTP_SESSION_REQUESTED, /* start_sess request seen */
- PPTP_SESSION_CONFIRMED, /* session established */
-};
-
-/* state of the call inside the control session */
-enum pptp_ctrlcall_state {
- PPTP_CALL_NONE,
- PPTP_CALL_ERROR,
- PPTP_CALL_OUT_REQ,
- PPTP_CALL_OUT_CONF,
- PPTP_CALL_IN_REQ,
- PPTP_CALL_IN_REP,
- PPTP_CALL_IN_CONF,
- PPTP_CALL_CLEAR_REQ,
-};
-
-
-/* conntrack private data */
-struct ip_ct_pptp_master {
- enum pptp_ctrlsess_state sstate; /* session state */
-
- /* everything below is going to be per-expectation in newnat,
- * since there could be more than one call within one session */
- enum pptp_ctrlcall_state cstate; /* call state */
- u_int16_t pac_call_id; /* call id of PAC, host byte order */
- u_int16_t pns_call_id; /* call id of PNS, host byte order */
-};
-
-/* conntrack_expect private member */
-struct ip_ct_pptp_expect {
- enum pptp_ctrlcall_state cstate; /* call state */
- u_int16_t pac_call_id; /* call id of PAC */
- u_int16_t pns_call_id; /* call id of PNS */
-};
-
-
-#ifdef __KERNEL__
-
-#include <linux/netfilter_ipv4/lockhelp.h>
-DECLARE_LOCK_EXTERN(ip_pptp_lock);
-
-#define IP_CONNTR_PPTP PPTP_CONTROL_PORT
-
-union pptp_ctrl_union {
- void *rawreq;
- struct PptpStartSessionRequest *sreq;
- struct PptpStartSessionReply *srep;
- struct PptpStopSessionReqest *streq;
- struct PptpStopSessionReply *strep;
- struct PptpOutCallRequest *ocreq;
- struct PptpOutCallReply *ocack;
- struct PptpInCallRequest *icreq;
- struct PptpInCallReply *icack;
- struct PptpInCallConnected *iccon;
- struct PptpClearCallRequest *clrreq;
- struct PptpCallDisconnectNotify *disc;
- struct PptpWanErrorNotify *wanerr;
- struct PptpSetLinkInfo *setlink;
-};
-
-
-
-#define PPTP_CONTROL_PORT 1723
-
-#define PPTP_PACKET_CONTROL 1
-#define PPTP_PACKET_MGMT 2
-
-#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
-
-struct pptp_pkt_hdr {
- __u16 packetLength;
- __u16 packetType;
- __u32 magicCookie;
-};
-
-/* PptpControlMessageType values */
-#define PPTP_START_SESSION_REQUEST 1
-#define PPTP_START_SESSION_REPLY 2
-#define PPTP_STOP_SESSION_REQUEST 3
-#define PPTP_STOP_SESSION_REPLY 4
-#define PPTP_ECHO_REQUEST 5
-#define PPTP_ECHO_REPLY 6
-#define PPTP_OUT_CALL_REQUEST 7
-#define PPTP_OUT_CALL_REPLY 8
-#define PPTP_IN_CALL_REQUEST 9
-#define PPTP_IN_CALL_REPLY 10
-#define PPTP_IN_CALL_CONNECT 11
-#define PPTP_CALL_CLEAR_REQUEST 12
-#define PPTP_CALL_DISCONNECT_NOTIFY 13
-#define PPTP_WAN_ERROR_NOTIFY 14
-#define PPTP_SET_LINK_INFO 15
-
-#define PPTP_MSG_MAX 15
-
-/* PptpGeneralError values */
-#define PPTP_ERROR_CODE_NONE 0
-#define PPTP_NOT_CONNECTED 1
-#define PPTP_BAD_FORMAT 2
-#define PPTP_BAD_VALUE 3
-#define PPTP_NO_RESOURCE 4
-#define PPTP_BAD_CALLID 5
-#define PPTP_REMOVE_DEVICE_ERROR 6
-
-struct PptpControlHeader {
- __u16 messageType;
- __u16 reserved;
-};
-
-/* FramingCapability Bitmap Values */
-#define PPTP_FRAME_CAP_ASYNC 0x1
-#define PPTP_FRAME_CAP_SYNC 0x2
-
-/* BearerCapability Bitmap Values */
-#define PPTP_BEARER_CAP_ANALOG 0x1
-#define PPTP_BEARER_CAP_DIGITAL 0x2
-
-struct PptpStartSessionRequest {
- __u16 protocolVersion;
- __u8 reserved1;
- __u8 reserved2;
- __u32 framingCapability;
- __u32 bearerCapability;
- __u16 maxChannels;
- __u16 firmwareRevision;
- __u8 hostName[64];
- __u8 vendorString[64];
-};
-
-/* PptpStartSessionResultCode Values */
-#define PPTP_START_OK 1
-#define PPTP_START_GENERAL_ERROR 2
-#define PPTP_START_ALREADY_CONNECTED 3
-#define PPTP_START_NOT_AUTHORIZED 4
-#define PPTP_START_UNKNOWN_PROTOCOL 5
-
-struct PptpStartSessionReply {
- __u16 protocolVersion;
- __u8 resultCode;
- __u8 generalErrorCode;
- __u32 framingCapability;
- __u32 bearerCapability;
- __u16 maxChannels;
- __u16 firmwareRevision;
- __u8 hostName[64];
- __u8 vendorString[64];
-};
-
-/* PptpStopReasons */
-#define PPTP_STOP_NONE 1
-#define PPTP_STOP_PROTOCOL 2
-#define PPTP_STOP_LOCAL_SHUTDOWN 3
-
-struct PptpStopSessionRequest {
- __u8 reason;
-};
-
-/* PptpStopSessionResultCode */
-#define PPTP_STOP_OK 1
-#define PPTP_STOP_GENERAL_ERROR 2
-
-struct PptpStopSessionReply {
- __u8 resultCode;
- __u8 generalErrorCode;
-};
-
-struct PptpEchoRequest {
- __u32 identNumber;
-};
-
-/* PptpEchoReplyResultCode */
-#define PPTP_ECHO_OK 1
-#define PPTP_ECHO_GENERAL_ERROR 2
-
-struct PptpEchoReply {
- __u32 identNumber;
- __u8 resultCode;
- __u8 generalErrorCode;
- __u16 reserved;
-};
-
-/* PptpFramingType */
-#define PPTP_ASYNC_FRAMING 1
-#define PPTP_SYNC_FRAMING 2
-#define PPTP_DONT_CARE_FRAMING 3
-
-/* PptpCallBearerType */
-#define PPTP_ANALOG_TYPE 1
-#define PPTP_DIGITAL_TYPE 2
-#define PPTP_DONT_CARE_BEARER_TYPE 3
-
-struct PptpOutCallRequest {
- __u16 callID;
- __u16 callSerialNumber;
- __u32 minBPS;
- __u32 maxBPS;
- __u32 bearerType;
- __u32 framingType;
- __u16 packetWindow;
- __u16 packetProcDelay;
- __u16 reserved1;
- __u16 phoneNumberLength;
- __u16 reserved2;
- __u8 phoneNumber[64];
- __u8 subAddress[64];
-};
-
-/* PptpCallResultCode */
-#define PPTP_OUTCALL_CONNECT 1
-#define PPTP_OUTCALL_GENERAL_ERROR 2
-#define PPTP_OUTCALL_NO_CARRIER 3
-#define PPTP_OUTCALL_BUSY 4
-#define PPTP_OUTCALL_NO_DIAL_TONE 5
-#define PPTP_OUTCALL_TIMEOUT 6
-#define PPTP_OUTCALL_DONT_ACCEPT 7
-
-struct PptpOutCallReply {
- __u16 callID;
- __u16 peersCallID;
- __u8 resultCode;
- __u8 generalErrorCode;
- __u16 causeCode;
- __u32 connectSpeed;
- __u16 packetWindow;
- __u16 packetProcDelay;
- __u32 physChannelID;
-};
-
-struct PptpInCallRequest {
- __u16 callID;
- __u16 callSerialNumber;
- __u32 callBearerType;
- __u32 physChannelID;
- __u16 dialedNumberLength;
- __u16 dialingNumberLength;
- __u8 dialedNumber[64];
- __u8 dialingNumber[64];
- __u8 subAddress[64];
-};
-
-/* PptpInCallResultCode */
-#define PPTP_INCALL_ACCEPT 1
-#define PPTP_INCALL_GENERAL_ERROR 2
-#define PPTP_INCALL_DONT_ACCEPT 3
-
-struct PptpInCallReply {
- __u16 callID;
- __u16 peersCallID;
- __u8 resultCode;
- __u8 generalErrorCode;
- __u16 packetWindow;
- __u16 packetProcDelay;
- __u16 reserved;
-};
-
-struct PptpInCallConnected {
- __u16 peersCallID;
- __u16 reserved;
- __u32 connectSpeed;
- __u16 packetWindow;
- __u16 packetProcDelay;
- __u32 callFramingType;
-};
-
-struct PptpClearCallRequest {
- __u16 callID;
- __u16 reserved;
-};
-
-struct PptpCallDisconnectNotify {
- __u16 callID;
- __u8 resultCode;
- __u8 generalErrorCode;
- __u16 causeCode;
- __u16 reserved;
- __u8 callStatistics[128];
-};
-
-struct PptpWanErrorNotify {
- __u16 peersCallID;
- __u16 reserved;
- __u32 crcErrors;
- __u32 framingErrors;
- __u32 hardwareOverRuns;
- __u32 bufferOverRuns;
- __u32 timeoutErrors;
- __u32 alignmentErrors;
-};
-
-struct PptpSetLinkInfo {
- __u16 peersCallID;
- __u16 reserved;
- __u32 sendAccm;
- __u32 recvAccm;
-};
-
-
-struct pptp_priv_data {
- __u16 call_id;
- __u16 mcall_id;
- __u16 pcall_id;
-};
-
-#endif /* __KERNEL__ */
-#endif /* _CONNTRACK_PPTP_H */
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,121 +0,0 @@
-#ifndef _CONNTRACK_PROTO_GRE_H
-#define _CONNTRACK_PROTO_GRE_H
-#include <asm/byteorder.h>
-
-/* GRE PROTOCOL HEADER */
-
-/* GRE Version field */
-#define GRE_VERSION_1701 0x0
-#define GRE_VERSION_PPTP 0x1
-
-/* GRE Protocol field */
-#define GRE_PROTOCOL_PPTP 0x880B
-
-/* GRE Flags */
-#define GRE_FLAG_C 0x80
-#define GRE_FLAG_R 0x40
-#define GRE_FLAG_K 0x20
-#define GRE_FLAG_S 0x10
-#define GRE_FLAG_A 0x80
-
-#define GRE_IS_C(f) ((f)&GRE_FLAG_C)
-#define GRE_IS_R(f) ((f)&GRE_FLAG_R)
-#define GRE_IS_K(f) ((f)&GRE_FLAG_K)
-#define GRE_IS_S(f) ((f)&GRE_FLAG_S)
-#define GRE_IS_A(f) ((f)&GRE_FLAG_A)
-
-/* GRE is a mess: Four different standards */
-struct gre_hdr {
-#if defined(__LITTLE_ENDIAN_BITFIELD)
- __u16 rec:3,
- srr:1,
- seq:1,
- key:1,
- routing:1,
- csum:1,
- version:3,
- reserved:4,
- ack:1;
-#elif defined(__BIG_ENDIAN_BITFIELD)
- __u16 csum:1,
- routing:1,
- key:1,
- seq:1,
- srr:1,
- rec:3,
- ack:1,
- reserved:4,
- version:3;
-#else
-#error "Adjust your <asm/byteorder.h> defines"
-#endif
- __u16 protocol;
-};
-
-/* modified GRE header for PPTP */
-struct gre_hdr_pptp {
- __u8 flags; /* bitfield */
- __u8 version; /* should be GRE_VERSION_PPTP */
- __u16 protocol; /* should be GRE_PROTOCOL_PPTP */
- __u16 payload_len; /* size of ppp payload, not inc. gre header */
- __u16 call_id; /* peer's call_id for this session */
- __u32 seq; /* sequence number. Present if S==1 */
- __u32 ack; /* seq number of highest packet recieved by */
- /* sender in this session */
-};
-
-
-/* this is part of ip_conntrack */
-struct ip_ct_gre {
- unsigned int stream_timeout;
- unsigned int timeout;
-};
-
-/* this is part of ip_conntrack_expect */
-struct ip_ct_gre_expect {
- struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
-};
-
-#ifdef __KERNEL__
-
-/* structure for original <-> reply keymap */
-struct ip_ct_gre_keymap {
- struct list_head list;
-
- struct ip_conntrack_tuple tuple;
- struct ip_conntrack_expect *master;
-};
-
-
-/* add new tuple->key_reply pair to keymap */
-int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
- struct ip_conntrack_tuple *t,
- int reply);
-
-/* change an existing keymap entry */
-void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km,
- struct ip_conntrack_tuple *t);
-
-
-
-/* get pointer to gre key, if present */
-static inline u_int32_t *gre_key(struct gre_hdr *greh)
-{
- if (!greh->key)
- return NULL;
- if (greh->csum || greh->routing)
- return (u_int32_t *) (greh+sizeof(*greh)+4);
- return (u_int32_t *) (greh+sizeof(*greh));
-}
-
-/* get pointer ot gre csum, if present */
-static inline u_int16_t *gre_csum(struct gre_hdr *greh)
-{
- if (!greh->csum)
- return NULL;
- return (u_int16_t *) (greh+sizeof(*greh));
-}
-
-#endif /* __KERNEL__ */
-
-#endif /* _CONNTRACK_PROTO_GRE_H */
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tftp.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,13 +0,0 @@
-#ifndef _IP_CT_TFTP
-#define _IP_CT_TFTP
-
-#define TFTP_PORT 69
-
-struct tftphdr {
- u_int16_t opcode;
-};
-
-#define TFTP_OPCODE_READ 1
-#define TFTP_OPCODE_WRITE 2
-
-#endif /* _IP_CT_TFTP */
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-05-09 04:13:03.000000000 -0400
@@ -14,7 +14,7 @@
union ip_conntrack_manip_proto
{
/* Add other protocols here. */
- u_int32_t all;
+ u_int16_t all;
struct {
u_int16_t port;
@@ -25,9 +25,6 @@
struct {
u_int16_t id;
} icmp;
- struct {
- u_int32_t key;
- } gre;
};
/* The manipulable part of the tuple. */
@@ -47,7 +44,7 @@
u_int32_t ip;
union {
/* Add other protocols here. */
- u_int64_t all;
+ u_int16_t all;
struct {
u_int16_t port;
@@ -58,11 +55,6 @@
struct {
u_int8_t type, code;
} icmp;
- struct {
- u_int16_t protocol;
- u_int8_t version;
- u_int32_t key;
- } gre;
} u;
/* The protocol. */
@@ -80,16 +72,10 @@
#ifdef __KERNEL__
#define DUMP_TUPLE(tp) \
-DEBUGP("tuple %p: %u %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", \
+DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \
(tp), (tp)->dst.protonum, \
- NIPQUAD((tp)->src.ip), ntohl((tp)->src.u.all), \
- NIPQUAD((tp)->dst.ip), ntohl((tp)->dst.u.all))
-
-#define DUMP_TUPLE_RAW(x) \
- DEBUGP("tuple %p: %u %u.%u.%u.%u:0x%08x -> %u.%u.%u.%u:0x%08x\n",\
- (x), (x)->dst.protonum, \
- NIPQUAD((x)->src.ip), ntohl((x)->src.u.all), \
- NIPQUAD((x)->dst.ip), ntohl((x)->dst.u.all))
+ NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \
+ NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all))
#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_nat_pptp.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_nat_pptp.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_nat_pptp.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_nat_pptp.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,11 +0,0 @@
-/* PPTP constants and structs */
-#ifndef _NAT_PPTP_H
-#define _NAT_PPTP_H
-
-/* conntrack private data */
-struct ip_nat_pptp {
- u_int16_t pns_call_id; /* NAT'ed PNS call id */
- u_int16_t pac_call_id; /* NAT'ed PAC call id */
-};
-
-#endif /* _NAT_PPTP_H */
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_pool.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_pool.h
--- src/linux/linux/include/linux/netfilter_ipv4/ip_pool.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_pool.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,64 +0,0 @@
-#ifndef _IP_POOL_H
-#define _IP_POOL_H
-
-/***************************************************************************/
-/* This program is free software; you can redistribute it and/or modify */
-/* it under the terms of the GNU General Public License as published by */
-/* the Free Software Foundation; either version 2 of the License, or */
-/* (at your option) any later version. */
-/* */
-/* This program is distributed in the hope that it will be useful, */
-/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
-/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
-/* GNU General Public License for more details. */
-/* */
-/* You should have received a copy of the GNU General Public License */
-/* along with this program; if not, write to the Free Software */
-/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/
-/***************************************************************************/
-
-/* A sockopt of such quality has hardly ever been seen before on the open
- * market! This little beauty, hardly ever used: above 64, so it's
- * traditionally used for firewalling, not touched (even once!) by the
- * 2.0, 2.2 and 2.4 kernels!
- *
- * Comes with its own certificate of authenticity, valid anywhere in the
- * Free world!
- *
- * Rusty, 19.4.2000
- */
-#define SO_IP_POOL 81
-
-typedef int ip_pool_t; /* pool index */
-#define IP_POOL_NONE ((ip_pool_t)-1)
-
-struct ip_pool_request {
- int op;
- ip_pool_t index;
- u_int32_t addr;
- u_int32_t addr2;
-};
-
-/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */
-
-#define IP_POOL_BAD001 0x00000010
-
-#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */
-#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */
-#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */
-#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */
-#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */
-#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */
-#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */
-#define IP_POOL_USAGE 0x00000018 /* result in addr */
-#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */
-
-#ifdef __KERNEL__
-
-/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */
-extern int ip_pool_match(ip_pool_t pool, u_int32_t addr);
-extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel);
-
-#endif
-
-#endif /*_IP_POOL_H*/
diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ipt_pool.h src/linux/linux.stock/include/linux/netfilter_ipv4/ipt_pool.h
--- src/linux/linux/include/linux/netfilter_ipv4/ipt_pool.h 2003-07-04 04:12:27.000000000 -0400
+++ src/linux/linux.stock/include/linux/netfilter_ipv4/ipt_pool.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,25 +0,0 @@
-#ifndef _IPT_POOL_H
-#define _IPT_POOL_H
-
-#include <linux/netfilter_ipv4/ip_pool.h>
-
-#define IPT_POOL_INV_SRC 0x00000001
-#define IPT_POOL_INV_DST 0x00000002
-#define IPT_POOL_DEL_SRC 0x00000004
-#define IPT_POOL_DEL_DST 0x00000008
-#define IPT_POOL_INV_MOD_SRC 0x00000010
-#define IPT_POOL_INV_MOD_DST 0x00000020
-#define IPT_POOL_MOD_SRC_ACCEPT 0x00000040
-#define IPT_POOL_MOD_DST_ACCEPT 0x00000080
-#define IPT_POOL_MOD_SRC_DROP 0x00000100
-#define IPT_POOL_MOD_DST_DROP 0x00000200
-
-/* match info */
-struct ipt_pool_info
-{
- ip_pool_t src;
- ip_pool_t dst;
- unsigned flags;
-};
-
-#endif /*_IPT_POOL_H*/
diff -Nurb src/linux/linux/net/ipv4/netfilter/Config.in src/linux/linux.stock/net/ipv4/netfilter/Config.in
--- src/linux/linux/net/ipv4/netfilter/Config.in 2004-02-19 06:04:35.000000000 -0500
+++ src/linux/linux.stock/net/ipv4/netfilter/Config.in 2004-05-09 04:13:03.000000000 -0400
@@ -7,12 +7,7 @@
tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
- dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
- dep_tristate ' H.323 (netmeeting) support' CONFIG_IP_NF_H323 $CONFIG_IP_NF_CONNTRACK
dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
- dep_tristate ' MMS protocol support' CONFIG_IP_NF_MMS $CONFIG_IP_NF_CONNTRACK
- dep_tristate ' GRE protocol support' CONFIG_IP_NF_CT_PROTO_GRE $CONFIG_IP_NF_CONNTRACK
- dep_tristate ' PPTP protocol support' CONFIG_IP_NF_PPTP $CONFIG_IP_NF_CT_PROTO_GRE
fi
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
@@ -22,19 +17,11 @@
if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
# The simple matches.
dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
-
- dep_tristate ' IP address pool support' CONFIG_IP_NF_POOL $CONFIG_IP_NF_IPTABLES
- if [ "$CONFIG_IP_NF_POOL" = "y" -o "$CONFIG_IP_NF_POOL" = "m" ]; then
- bool ' enable statistics on pool usage' CONFIG_IP_POOL_STATISTICS n
- fi
-
dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES
dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES
dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
- dep_tristate ' Multiple port with ranges match support' CONFIG_IP_NF_MATCH_MPORT $CONFIG_IP_NF_IPTABLES
dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
- dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES
dep_tristate ' ECN match support' CONFIG_IP_NF_MATCH_ECN $CONFIG_IP_NF_IPTABLES
dep_tristate ' DSCP match support' CONFIG_IP_NF_MATCH_DSCP $CONFIG_IP_NF_IPTABLES
@@ -52,7 +39,6 @@
fi
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
- dep_tristate ' Webstr match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_WEBSTR $CONFIG_IP_NF_IPTABLES
dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
fi
# The targets
@@ -70,29 +56,6 @@
define_bool CONFIG_IP_NF_NAT_NEEDED y
dep_tristate ' MASQUERADE target support' CONFIG_IP_NF_TARGET_MASQUERADE $CONFIG_IP_NF_NAT
dep_tristate ' REDIRECT target support' CONFIG_IP_NF_TARGET_REDIRECT $CONFIG_IP_NF_NAT
- dep_tristate ' Automatic port forwarding (autofw) target support' CONFIG_IP_NF_AUTOFW $CONFIG_IP_NF_NAT
- dep_tristate ' TRIGGER target support (port-trigger)' CONFIG_IP_NF_TARGET_TRIGGER $CONFIG_IP_NF_NAT
- if [ "$CONFIG_IP_NF_H323" = "m" ]; then
- define_tristate CONFIG_IP_NF_NAT_H323 m
- else
- if [ "$CONFIG_IP_NF_H323" = "y" ]; then
- define_tristate CONFIG_IP_NF_NAT_H323 $CONFIG_IP_NF_NAT
- fi
- fi
- if [ "$CONFIG_IP_NF_PPTP" = "m" ]; then
- define_tristate CONFIG_IP_NF_NAT_PPTP m
- else
- if [ "$CONFIG_IP_NF_PPTP" = "y" ]; then
- define_tristate CONFIG_IP_NF_NAT_PPTP $CONFIG_IP_NF_NAT
- fi
- fi
- if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "m" ]; then
- define_tristate CONFIG_IP_NF_NAT_PROTO_GRE m
- else
- if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "y" ]; then
- define_tristate CONFIG_IP_NF_NAT_PROTO_GRE $CONFIG_IP_NF_NAT
- fi
- fi
bool ' NAT of local connections (READ HELP)' CONFIG_IP_NF_NAT_LOCAL
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
dep_tristate ' Basic SNMP-ALG support (EXPERIMENTAL)' CONFIG_IP_NF_NAT_SNMP_BASIC $CONFIG_IP_NF_NAT
@@ -104,13 +67,6 @@
define_tristate CONFIG_IP_NF_NAT_IRC $CONFIG_IP_NF_NAT
fi
fi
- if [ "$CONFIG_IP_NF_MMS" = "m" ]; then
- define_tristate CONFIG_IP_NF_NAT_MMS m
- else
- if [ "$CONFIG_IP_NF_MMS" = "y" ]; then
- define_tristate CONFIG_IP_NF_NAT_MMS $CONFIG_IP_NF_NAT
- fi
- fi
# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
if [ "$CONFIG_IP_NF_FTP" = "m" ]; then
@@ -120,13 +76,6 @@
define_tristate CONFIG_IP_NF_NAT_FTP $CONFIG_IP_NF_NAT
fi
fi
- if [ "$CONFIG_IP_NF_TFTP" = "m" ]; then
- define_tristate CONFIG_IP_NF_NAT_TFTP m
- else
- if [ "$CONFIG_IP_NF_TFTP" = "y" ]; then
- define_tristate CONFIG_IP_NF_NAT_TFTP $CONFIG_IP_NF_NAT
- fi
- fi
fi
fi
diff -Nurb src/linux/linux/net/ipv4/netfilter/Makefile src/linux/linux.stock/net/ipv4/netfilter/Makefile
--- src/linux/linux/net/ipv4/netfilter/Makefile 2004-02-19 06:04:35.000000000 -0500
+++ src/linux/linux.stock/net/ipv4/netfilter/Makefile 2004-05-09 04:13:03.000000000 -0400
@@ -31,48 +31,20 @@
# connection tracking
obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
-# H.323 support
-obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o
-obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o
-ifdef CONFIG_IP_NF_NAT_H323
- export-objs += ip_conntrack_h323.o
-endif
-
-
-# connection tracking protocol helpers
-obj-$(CONFIG_IP_NF_CT_PROTO_GRE) += ip_conntrack_proto_gre.o
-ifdef CONFIG_IP_NF_CT_PROTO_GRE
- export-objs += ip_conntrack_proto_gre.o
-endif
-
-# NAT protocol helpers
-obj-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre.o
-
# connection tracking helpers
-obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o
-ifdef CONFIG_IP_NF_NAT_MMS
- export-objs += ip_conntrack_mms.o
-endif
-obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o
-ifdef CONFIG_IP_NF_NAT_PPTP
- export-objs += ip_conntrack_pptp.o
-endif
-obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o
obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o
ifdef CONFIG_IP_NF_NAT_FTP
export-objs += ip_conntrack_ftp.o
endif
+
obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
ifdef CONFIG_IP_NF_NAT_IRC
export-objs += ip_conntrack_irc.o
endif
# NAT helpers
-obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o
-obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o
obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
-obj-$(CONFIG_IP_NF_NAT_MMS) += ip_nat_mms.o
# generic IP tables
obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
@@ -86,19 +58,12 @@
obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
-obj-$(CONFIG_IP_NF_POOL) += ipt_pool.o ip_pool.o
obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
-
-obj-$(CONFIG_IP_NF_MATCH_MPORT) += ipt_mport.o
-
obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
-
-obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
-
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o
@@ -109,7 +74,6 @@
obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
-obj-$(CONFIG_IP_NF_MATCH_WEBSTR) += ipt_webstr.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
# targets
@@ -125,8 +89,6 @@
obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
-obj-$(CONFIG_IP_NF_AUTOFW) += ip_autofw.o
-obj-$(CONFIG_IP_NF_TARGET_TRIGGER) += ipt_TRIGGER.o
# generic ARP tables
obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_core.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_core.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_core.c 2003-08-12 07:33:45.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_core.c 2004-05-09 04:13:03.000000000 -0400
@@ -47,7 +47,11 @@
#define IP_CONNTRACK_VERSION "2.1"
+#if 0
+#define DEBUGP printk
+#else
#define DEBUGP(format, args...)
+#endif
DECLARE_RWLOCK(ip_conntrack_lock);
DECLARE_RWLOCK(ip_conntrack_expect_tuple_lock);
@@ -62,29 +66,6 @@
struct list_head *ip_conntrack_hash;
static kmem_cache_t *ip_conntrack_cachep;
-#define SECS * HZ
-#define MINS * 60 SECS
-#define HOURS * 60 MINS
-#define DAYS * 24 HOURS
-
-int sysctl_ip_conntrack_tcp_timeouts[10] = {
- 30 MINS, /* TCP_CONNTRACK_NONE, */
- 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
- 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
- 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
- 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
- 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
- 10 SECS, /* TCP_CONNTRACK_CLOSE, */
- 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
- 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
- 2 MINS, /* TCP_CONNTRACK_LISTEN, */
-};
-
-int sysctl_ip_conntrack_udp_timeouts[2] = {
- 30 SECS, /* UNREPLIED */
- 180 SECS /* ASSURED */
-};
-
extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
static inline int proto_cmpfn(const struct ip_conntrack_protocol *curr,
@@ -129,6 +110,9 @@
static inline u_int32_t
hash_conntrack(const struct ip_conntrack_tuple *tuple)
{
+#if 0
+ dump_tuple(tuple);
+#endif
/* ntohl because more differences in low bits. */
/* To ensure that halves of the same connection don't hash
clash, we add the source per-proto again. */
@@ -160,8 +144,6 @@
tuple->dst.ip = iph->daddr;
tuple->dst.protonum = iph->protocol;
- tuple->src.u.all = tuple->dst.u.all = 0;
-
ret = protocol->pkt_to_tuple((u_int32_t *)iph + iph->ihl,
len - 4*iph->ihl,
tuple);
@@ -177,8 +159,6 @@
inverse->dst.ip = orig->src.ip;
inverse->dst.protonum = orig->dst.protonum;
- inverse->src.u.all = inverse->dst.u.all = 0;
-
return protocol->invert_tuple(inverse, orig);
}
@@ -196,8 +176,8 @@
static void
destroy_expect(struct ip_conntrack_expect *exp)
{
- DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(&exp->use));
- IP_NF_ASSERT(atomic_read(&exp->use));
+ DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(exp->use));
+ IP_NF_ASSERT(atomic_read(exp->use));
IP_NF_ASSERT(!timer_pending(&exp->timeout));
kfree(exp);
@@ -267,11 +247,11 @@
static void unexpect_related(struct ip_conntrack_expect *expect)
{
IP_NF_ASSERT(expect->expectant);
+ IP_NF_ASSERT(expect->expectant->helper);
/* if we are supposed to have a timer, but we can't delete
* it: race condition. __unexpect_related will
* be calledd by timeout function */
- if (expect->expectant->helper
- && expect->expectant->helper->timeout
+ if (expect->expectant->helper->timeout
&& !del_timer(&expect->timeout))
return;
@@ -580,6 +560,7 @@
if (!h) {
/* Locally generated ICMPs will match inverted if they
haven't been SNAT'ed yet */
+ /* FIXME: NAT code has to handle half-done double NAT --RR */
if (hooknum == NF_IP_LOCAL_OUT)
h = ip_conntrack_find_get(&origtuple, NULL);
@@ -725,7 +706,6 @@
/* If the expectation is dying, then this is a looser. */
if (expected
- && expected->expectant->helper
&& expected->expectant->helper->timeout
&& ! del_timer(&expected->timeout))
expected = NULL;
@@ -744,7 +724,6 @@
conntrack->master = expected;
expected->sibling = conntrack;
LIST_DELETE(&ip_conntrack_expect_list, expected);
- INIT_LIST_HEAD(&expected->list);
expected->expectant->expecting--;
nf_conntrack_get(&master_ct(conntrack)->infos[0]);
}
@@ -821,9 +800,23 @@
int set_reply;
int ret;
+ /* FIXME: Do this right please. --RR */
(*pskb)->nfcache |= NFC_UNKNOWN;
/* Doesn't cover locally-generated broadcast, so not worth it. */
+#if 0
+ /* Ignore broadcast: no `connection'. */
+ if ((*pskb)->pkt_type == PACKET_BROADCAST) {
+ printk("Broadcast packet!\n");
+ return NF_ACCEPT;
+ } else if (((*pskb)->nh.iph->daddr & htonl(0x000000FF))
+ == htonl(0x000000FF)) {
+ printk("Should bcast: %u.%u.%u.%u->%u.%u.%u.%u (sk=%p, ptype=%u)\n",
+ NIPQUAD((*pskb)->nh.iph->saddr),
+ NIPQUAD((*pskb)->nh.iph->daddr),
+ (*pskb)->sk, (*pskb)->pkt_type);
+ }
+#endif
/* Previously seen (loopback)? Ignore. Do this before
fragment check. */
@@ -943,8 +936,8 @@
* so there is no need to use the tuple lock too */
DEBUGP("ip_conntrack_expect_related %p\n", related_to);
- DEBUGP("tuple: "); DUMP_TUPLE_RAW(&expect->tuple);
- DEBUGP("mask: "); DUMP_TUPLE_RAW(&expect->mask);
+ DEBUGP("tuple: "); DUMP_TUPLE(&expect->tuple);
+ DEBUGP("mask: "); DUMP_TUPLE(&expect->mask);
old = LIST_FIND(&ip_conntrack_expect_list, resent_expect,
struct ip_conntrack_expect *, &expect->tuple,
@@ -954,8 +947,7 @@
pointing into the payload - otherwise we should have to copy
the data filled out by the helper over the old one */
DEBUGP("expect_related: resent packet\n");
- if (related_to->helper &&
- related_to->helper->timeout) {
+ if (related_to->helper->timeout) {
if (!del_timer(&old->timeout)) {
/* expectation is dying. Fall through */
old = NULL;
@@ -970,32 +962,26 @@
WRITE_UNLOCK(&ip_conntrack_lock);
return -EEXIST;
}
- } else if (related_to->helper &&
- related_to->helper->max_expected &&
+ } else if (related_to->helper->max_expected &&
related_to->expecting >= related_to->helper->max_expected) {
struct list_head *cur_item;
/* old == NULL */
- if (!(related_to->helper->flags &
- IP_CT_HELPER_F_REUSE_EXPECT)) {
- WRITE_UNLOCK(&ip_conntrack_lock);
if (net_ratelimit())
printk(KERN_WARNING
"ip_conntrack: max number of expected "
"connections %i of %s reached for "
- "%u.%u.%u.%u->%u.%u.%u.%u\n",
+ "%u.%u.%u.%u->%u.%u.%u.%u%s\n",
related_to->helper->max_expected,
related_to->helper->name,
NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
- NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
+ NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip),
+ related_to->helper->flags & IP_CT_HELPER_F_REUSE_EXPECT ?
+ ", reusing" : "");
+ if (!(related_to->helper->flags &
+ IP_CT_HELPER_F_REUSE_EXPECT)) {
+ WRITE_UNLOCK(&ip_conntrack_lock);
return -EPERM;
}
- DEBUGP("ip_conntrack: max number of expected "
- "connections %i of %s reached for "
- "%u.%u.%u.%u->%u.%u.%u.%u, reusing\n",
- related_to->helper->max_expected,
- related_to->helper->name,
- NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
- NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
/* choose the the oldest expectation to evict */
list_for_each(cur_item, &related_to->sibling_list) {
@@ -1055,8 +1041,7 @@
/* add to global list of expectations */
list_prepend(&ip_conntrack_expect_list, &new->list);
/* add and start timer if required */
- if (related_to->helper &&
- related_to->helper->timeout) {
+ if (related_to->helper->timeout) {
init_timer(&new->timeout);
new->timeout.data = (unsigned long)new;
new->timeout.function = expectation_timed_out;
@@ -1079,10 +1064,11 @@
MUST_BE_READ_LOCKED(&ip_conntrack_lock);
WRITE_LOCK(&ip_conntrack_expect_tuple_lock);
+
DEBUGP("change_expect:\n");
- DEBUGP("exp tuple: "); DUMP_TUPLE_RAW(&expect->tuple);
- DEBUGP("exp mask: "); DUMP_TUPLE_RAW(&expect->mask);
- DEBUGP("newtuple: "); DUMP_TUPLE_RAW(newtuple);
+ DEBUGP("exp tuple: "); DUMP_TUPLE(&expect->tuple);
+ DEBUGP("exp mask: "); DUMP_TUPLE(&expect->mask);
+ DEBUGP("newtuple: "); DUMP_TUPLE(newtuple);
if (expect->ct_tuple.dst.protonum == 0) {
/* Never seen before */
DEBUGP("change expect: never seen before\n");
@@ -1360,8 +1346,6 @@
0, NULL };
#define NET_IP_CONNTRACK_MAX 2089
-#define NET_IP_CONNTRACK_TCP_TIMEOUTS 2090
-#define NET_IP_CONNTRACK_UDP_TIMEOUTS 2091
#define NET_IP_CONNTRACK_MAX_NAME "ip_conntrack_max"
#ifdef CONFIG_SYSCTL
@@ -1370,14 +1354,6 @@
static ctl_table ip_conntrack_table[] = {
{ NET_IP_CONNTRACK_MAX, NET_IP_CONNTRACK_MAX_NAME, &ip_conntrack_max,
sizeof(ip_conntrack_max), 0644, NULL, proc_dointvec },
- { NET_IP_CONNTRACK_TCP_TIMEOUTS, "ip_conntrack_tcp_timeouts",
- &sysctl_ip_conntrack_tcp_timeouts,
- sizeof(sysctl_ip_conntrack_tcp_timeouts),
- 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies },
- { NET_IP_CONNTRACK_UDP_TIMEOUTS, "ip_conntrack_udp_timeouts",
- &sysctl_ip_conntrack_udp_timeouts,
- sizeof(sysctl_ip_conntrack_udp_timeouts),
- 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies },
{ 0 }
};
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_ftp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_ftp.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_ftp.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_ftp.c 2004-05-09 04:13:03.000000000 -0400
@@ -24,7 +24,11 @@
static int loose = 0;
MODULE_PARM(loose, "i");
+#if 0
+#define DEBUGP printk
+#else
#define DEBUGP(format, args...)
+#endif
static int try_rfc959(const char *, size_t, u_int32_t [], char);
static int try_eprt(const char *, size_t, u_int32_t [], char);
@@ -191,6 +195,16 @@
}
if (strnicmp(data, pattern, plen) != 0) {
+#if 0
+ size_t i;
+
+ DEBUGP("ftp: string mismatch\n");
+ for (i = 0; i < plen; i++) {
+ DEBUGFTP("ftp:char %u `%c'(%u) vs `%c'(%u)\n",
+ i, data[i], data[i],
+ pattern[i], pattern[i]);
+ }
+#endif
return 0;
}
@@ -214,6 +228,7 @@
return 1;
}
+/* FIXME: This should be in userspace. Later. */
static int help(const struct iphdr *iph, size_t len,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo)
@@ -249,6 +264,7 @@
}
/* Checksum invalid? Ignore. */
+ /* FIXME: Source route IP option packets --RR */
if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
csum_partial((char *)tcph, tcplen, 0))) {
DEBUGP("ftp_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_h323.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_h323.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_h323.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_h323.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,302 +0,0 @@
-/*
- * H.323 'brute force' extension for H.323 connection tracking.
- * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project.
- * (http://www.coritel.it/projects/sofia/nat/)
- * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind'
- * the unregistered helpers to the conntrack entries.
- */
-
-
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/lockhelp.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_conntrack_core.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
-#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
-
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("H.323 'brute force' connection tracking module");
-MODULE_LICENSE("GPL");
-
-DECLARE_LOCK(ip_h323_lock);
-struct module *ip_conntrack_h323 = THIS_MODULE;
-
-#define DEBUGP(format, args...)
-
-static int h245_help(const struct iphdr *iph, size_t len,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo)
-{
- struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
- unsigned char *data = (unsigned char *) tcph + tcph->doff * 4;
- unsigned char *data_limit;
- u_int32_t tcplen = len - iph->ihl * 4;
- u_int32_t datalen = tcplen - tcph->doff * 4;
- int dir = CTINFO2DIR(ctinfo);
- struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
- struct ip_conntrack_expect expect, *exp = &expect;
- struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info;
- u_int16_t data_port;
- u_int32_t data_ip;
- unsigned int i;
-
- DEBUGP("ct_h245_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
- NIPQUAD(iph->saddr), ntohs(tcph->source),
- NIPQUAD(iph->daddr), ntohs(tcph->dest));
-
- /* Can't track connections formed before we registered */
- if (!info)
- return NF_ACCEPT;
-
- /* Until there's been traffic both ways, don't look in packets. */
- if (ctinfo != IP_CT_ESTABLISHED
- && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
- DEBUGP("ct_h245_help: Conntrackinfo = %u\n", ctinfo);
- return NF_ACCEPT;
- }
-
- /* Not whole TCP header or too short packet? */
- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) {
- DEBUGP("ct_h245_help: tcplen = %u\n", (unsigned)tcplen);
- return NF_ACCEPT;
- }
-
- /* Checksum invalid? Ignore. */
- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
- csum_partial((char *)tcph, tcplen, 0))) {
- DEBUGP("ct_h245_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
- tcph, tcplen, NIPQUAD(iph->saddr),
- NIPQUAD(iph->daddr));
- return NF_ACCEPT;
- }
-
- data_limit = (unsigned char *) data + datalen;
- /* bytes: 0123 45
- ipadrr port */
- for (i = 0; data < (data_limit - 5); data++, i++) {
- memcpy(&data_ip, data, sizeof(u_int32_t));
- if (data_ip == iph->saddr) {
- memcpy(&data_port, data + 4, sizeof(u_int16_t));
- memset(&expect, 0, sizeof(expect));
- /* update the H.225 info */
- DEBUGP("ct_h245_help: new RTCP/RTP requested %u.%u.%u.%u:->%u.%u.%u.%u:%u\n",
- NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
- NIPQUAD(iph->saddr), ntohs(data_port));
- LOCK_BH(&ip_h323_lock);
- info->is_h225 = H225_PORT + 1;
- exp_info->port = data_port;
- exp_info->dir = dir;
- exp_info->offset = i;
-
- exp->seq = ntohl(tcph->seq) + i;
-
- exp->tuple = ((struct ip_conntrack_tuple)
- { { ct->tuplehash[!dir].tuple.src.ip,
- { 0 } },
- { data_ip,
- { data_port },
- IPPROTO_UDP }});
- exp->mask = ((struct ip_conntrack_tuple)
- { { 0xFFFFFFFF, { 0 } },
- { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
-
- exp->expectfn = NULL;
-
- /* Ignore failure; should only happen with NAT */
- ip_conntrack_expect_related(ct, exp);
-
- UNLOCK_BH(&ip_h323_lock);
- }
- }
-
- return NF_ACCEPT;
-
-}
-
-/* H.245 helper is not registered! */
-static struct ip_conntrack_helper h245 =
- { { NULL, NULL },
- "H.245", /* name */
- IP_CT_HELPER_F_REUSE_EXPECT, /* flags */
- NULL, /* module */
- 8, /* max_ expected */
- 240, /* timeout */
- { { 0, { 0 } }, /* tuple */
- { 0, { 0 }, IPPROTO_TCP } },
- { { 0, { 0xFFFF } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- h245_help /* helper */
- };
-
-static int h225_expect(struct ip_conntrack *ct)
-{
- WRITE_LOCK(&ip_conntrack_lock);
- ct->helper = &h245;
- DEBUGP("h225_expect: helper for %p added\n", ct);
- WRITE_UNLOCK(&ip_conntrack_lock);
-
- return NF_ACCEPT; /* unused */
-}
-
-static int h225_help(const struct iphdr *iph, size_t len,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo)
-{
- struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
- unsigned char *data = (unsigned char *) tcph + tcph->doff * 4;
- unsigned char *data_limit;
- u_int32_t tcplen = len - iph->ihl * 4;
- u_int32_t datalen = tcplen - tcph->doff * 4;
- int dir = CTINFO2DIR(ctinfo);
- struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
- struct ip_conntrack_expect expect, *exp = &expect;
- struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info;
- u_int16_t data_port;
- u_int32_t data_ip;
- unsigned int i;
-
- DEBUGP("ct_h225_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
- NIPQUAD(iph->saddr), ntohs(tcph->source),
- NIPQUAD(iph->daddr), ntohs(tcph->dest));
-
- /* Can't track connections formed before we registered */
- if (!info)
- return NF_ACCEPT;
-
- /* Until there's been traffic both ways, don't look in packets. */
- if (ctinfo != IP_CT_ESTABLISHED
- && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
- DEBUGP("ct_h225_help: Conntrackinfo = %u\n", ctinfo);
- return NF_ACCEPT;
- }
-
- /* Not whole TCP header or too short packet? */
- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) {
- DEBUGP("ct_h225_help: tcplen = %u\n", (unsigned)tcplen);
- return NF_ACCEPT;
- }
-
- /* Checksum invalid? Ignore. */
- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
- csum_partial((char *)tcph, tcplen, 0))) {
- DEBUGP("ct_h225_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
- tcph, tcplen, NIPQUAD(iph->saddr),
- NIPQUAD(iph->daddr));
- return NF_ACCEPT;
- }
-
- data_limit = (unsigned char *) data + datalen;
- /* bytes: 0123 45
- ipadrr port */
- for (i = 0; data < (data_limit - 5); data++, i++) {
- memcpy(&data_ip, data, sizeof(u_int32_t));
- if (data_ip == iph->saddr) {
- memcpy(&data_port, data + 4, sizeof(u_int16_t));
- if (data_port == tcph->source) {
- /* Signal address */
- DEBUGP("ct_h225_help: sourceCallSignalAddress from %u.%u.%u.%u\n",
- NIPQUAD(iph->saddr));
- /* Update the H.225 info so that NAT can mangle the address/port
- even when we have no expected connection! */
-#ifdef CONFIG_IP_NF_NAT_NEEDED
- LOCK_BH(&ip_h323_lock);
- info->dir = dir;
- info->seq[IP_CT_DIR_ORIGINAL] = ntohl(tcph->seq) + i;
- info->offset[IP_CT_DIR_ORIGINAL] = i;
- UNLOCK_BH(&ip_h323_lock);
-#endif
- } else {
- memset(&expect, 0, sizeof(expect));
-
- /* update the H.225 info */
- LOCK_BH(&ip_h323_lock);
- info->is_h225 = H225_PORT;
- exp_info->port = data_port;
- exp_info->dir = dir;
- exp_info->offset = i;
-
- exp->seq = ntohl(tcph->seq) + i;
-
- exp->tuple = ((struct ip_conntrack_tuple)
- { { ct->tuplehash[!dir].tuple.src.ip,
- { 0 } },
- { data_ip,
- { data_port },
- IPPROTO_TCP }});
- exp->mask = ((struct ip_conntrack_tuple)
- { { 0xFFFFFFFF, { 0 } },
- { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
-
- exp->expectfn = h225_expect;
-
- /* Ignore failure */
- ip_conntrack_expect_related(ct, exp);
-
- DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n",
- NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
- NIPQUAD(iph->saddr), ntohs(data_port));
-
- UNLOCK_BH(&ip_h323_lock);
- }
-#ifdef CONFIG_IP_NF_NAT_NEEDED
- } else if (data_ip == iph->daddr) {
- memcpy(&data_port, data + 4, sizeof(u_int16_t));
- if (data_port == tcph->dest) {
- /* Signal address */
- DEBUGP("ct_h225_help: destCallSignalAddress %u.%u.%u.%u\n",
- NIPQUAD(iph->daddr));
- /* Update the H.225 info so that NAT can mangle the address/port
- even when we have no expected connection! */
- LOCK_BH(&ip_h323_lock);
- info->dir = dir;
- info->seq[IP_CT_DIR_REPLY] = ntohl(tcph->seq) + i;
- info->offset[IP_CT_DIR_REPLY] = i;
- UNLOCK_BH(&ip_h323_lock);
- }
-#endif
- }
- }
-
- return NF_ACCEPT;
-
-}
-
-static struct ip_conntrack_helper h225 =
- { { NULL, NULL },
- "H.225", /* name */
- IP_CT_HELPER_F_REUSE_EXPECT, /* flags */
- THIS_MODULE, /* module */
- 2, /* max_expected */
- 240, /* timeout */
- { { 0, { __constant_htons(H225_PORT) } }, /* tuple */
- { 0, { 0 }, IPPROTO_TCP } },
- { { 0, { 0xFFFF } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- h225_help /* helper */
- };
-
-static int __init init(void)
-{
- return ip_conntrack_helper_register(&h225);
-}
-
-static void __exit fini(void)
-{
- /* Unregister H.225 helper */
- ip_conntrack_helper_unregister(&h225);
-}
-
-#ifdef CONFIG_IP_NF_NAT_NEEDED
-EXPORT_SYMBOL(ip_h323_lock);
-#endif
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_mms.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_mms.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_mms.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_mms.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,292 +0,0 @@
-/* MMS extension for IP connection tracking
- * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
- * based on ip_conntrack_ftp.c and ip_conntrack_irc.c
- *
- * ip_conntrack_mms.c v0.3 2002-09-22
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version
- * 2 of the License, or (at your option) any later version.
- *
- * Module load syntax:
- * insmod ip_conntrack_mms.o ports=port1,port2,...port<MAX_PORTS>
- *
- * Please give the ports of all MMS servers You wish to connect to.
- * If you don't specify ports, the default will be TCP port 1755.
- *
- * More info on MMS protocol, firewalls and NAT:
- * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp
- * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp
- *
- * The SDP project people are reverse-engineering MMS:
- * http://get.to/sdp
- */
-
-#include <linux/config.h>
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <linux/ctype.h>
-#include <net/checksum.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/lockhelp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
-
-DECLARE_LOCK(ip_mms_lock);
-struct module *ip_conntrack_mms = THIS_MODULE;
-
-#define MAX_PORTS 8
-static int ports[MAX_PORTS];
-static int ports_c;
-#ifdef MODULE_PARM
-MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
-#endif
-
-#define DEBUGP(format, args...)
-
-#ifdef CONFIG_IP_NF_NAT_NEEDED
-EXPORT_SYMBOL(ip_mms_lock);
-#endif
-
-MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
-MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) connection tracking module");
-MODULE_LICENSE("GPL");
-
-/* #define isdigit(c) (c >= '0' && c <= '9') */
-
-/* copied from drivers/usb/serial/io_edgeport.c - not perfect but will do the trick */
-static void unicode_to_ascii (char *string, short *unicode, int unicode_size)
-{
- int i;
- for (i = 0; i < unicode_size; ++i) {
- string[i] = (char)(unicode[i]);
- }
- string[unicode_size] = 0x00;
-}
-
-__inline static int atoi(char *s)
-{
- int i=0;
- while (isdigit(*s)) {
- i = i*10 + *(s++) - '0';
- }
- return i;
-}
-
-/* convert ip address string like "192.168.0.10" to unsigned int */
-__inline static u_int32_t asciiiptoi(char *s)
-{
- unsigned int i, j, k;
-
- for(i=k=0; k<3; ++k, ++s, i<<=8) {
- i+=atoi(s);
- for(j=0; (*(++s) != '.') && (j<3); ++j)
- ;
- }
- i+=atoi(s);
- return ntohl(i);
-}
-
-int parse_mms(const char *data,
- const unsigned int datalen,
- u_int32_t *mms_ip,
- u_int16_t *mms_proto,
- u_int16_t *mms_port,
- char **mms_string_b,
- char **mms_string_e,
- char **mms_padding_e)
-{
- int unicode_size, i;
- char tempstring[28]; /* "\\255.255.255.255\UDP\65535" */
- char getlengthstring[28];
-
- for(unicode_size=0;
- (char) *(data+(MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2)) != (char)0;
- unicode_size++)
- if ((unicode_size == 28) || (MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2 >= datalen))
- return -1; /* out of bounds - incomplete packet */
-
- unicode_to_ascii(tempstring, (short *)(data+MMS_SRV_UNICODE_STRING_OFFSET), unicode_size);
- DEBUGP("ip_conntrack_mms: offset 60: %s\n", (const char *)(tempstring));
-
- /* IP address ? */
- *mms_ip = asciiiptoi(tempstring+2);
-
- i=sprintf(getlengthstring, "%u.%u.%u.%u", HIPQUAD(*mms_ip));
-
- /* protocol ? */
- if(strncmp(tempstring+3+i, "TCP", 3)==0)
- *mms_proto = IPPROTO_TCP;
- else if(strncmp(tempstring+3+i, "UDP", 3)==0)
- *mms_proto = IPPROTO_UDP;
-
- /* port ? */
- *mms_port = atoi(tempstring+7+i);
-
- /* we store a pointer to the beginning of the "\\a.b.c.d\proto\port"
- unicode string, one to the end of the string, and one to the end
- of the packet, since we must keep track of the number of bytes
- between end of the unicode string and the end of packet (padding) */
- *mms_string_b = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET);
- *mms_string_e = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET + unicode_size * 2);
- *mms_padding_e = (char *)(data + datalen); /* looks funny, doesn't it */
- return 0;
-}
-
-
-static int help(const struct iphdr *iph, size_t len,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo)
-{
- /* tcplen not negative guaranteed by ip_conntrack_tcp.c */
- struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
- const char *data = (const char *)tcph + tcph->doff * 4;
- unsigned int tcplen = len - iph->ihl * 4;
- unsigned int datalen = tcplen - tcph->doff * 4;
- int dir = CTINFO2DIR(ctinfo);
- struct ip_conntrack_expect expect, *exp = &expect;
- struct ip_ct_mms_expect *exp_mms_info = &exp->help.exp_mms_info;
-
- u_int32_t mms_ip;
- u_int16_t mms_proto;
- char mms_proto_string[8];
- u_int16_t mms_port;
- char *mms_string_b, *mms_string_e, *mms_padding_e;
-
- /* Until there's been traffic both ways, don't look in packets. */
- if (ctinfo != IP_CT_ESTABLISHED
- && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
- DEBUGP("ip_conntrack_mms: Conntrackinfo = %u\n", ctinfo);
- return NF_ACCEPT;
- }
-
- /* Not whole TCP header? */
- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) {
- DEBUGP("ip_conntrack_mms: tcplen = %u\n", (unsigned)tcplen);
- return NF_ACCEPT;
- }
-
- /* Checksum invalid? Ignore. */
- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
- csum_partial((char *)tcph, tcplen, 0))) {
- DEBUGP("mms_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
- tcph, tcplen, NIPQUAD(iph->saddr),
- NIPQUAD(iph->daddr));
- return NF_ACCEPT;
- }
-
- /* Only look at packets with 0x00030002/196610 on bytes 36->39 of TCP payload */
- if( (MMS_SRV_MSG_OFFSET < datalen) &&
- ((*(u32 *)(data+MMS_SRV_MSG_OFFSET)) == MMS_SRV_MSG_ID)) {
- DEBUGP("ip_conntrack_mms: offset 37: %u %u %u %u, datalen:%u\n",
- (u8)*(data+36), (u8)*(data+37),
- (u8)*(data+38), (u8)*(data+39),
- datalen);
- if(parse_mms(data, datalen, &mms_ip, &mms_proto, &mms_port,
- &mms_string_b, &mms_string_e, &mms_padding_e))
- if(net_ratelimit())
- printk(KERN_WARNING
- "ip_conntrack_mms: Unable to parse data payload\n");
-
- memset(&expect, 0, sizeof(expect));
-
- sprintf(mms_proto_string, "(%u)", mms_proto);
- DEBUGP("ip_conntrack_mms: adding %s expectation %u.%u.%u.%u -> %u.%u.%u.%u:%u\n",
- mms_proto == IPPROTO_TCP ? "TCP"
- : mms_proto == IPPROTO_UDP ? "UDP":mms_proto_string,
- NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
- NIPQUAD(mms_ip),
- mms_port);
-
- /* it's possible that the client will just ask the server to tunnel
- the stream over the same TCP session (from port 1755): there's
- shouldn't be a need to add an expectation in that case, but it
- makes NAT packet mangling so much easier */
- LOCK_BH(&ip_mms_lock);
-
- DEBUGP("ip_conntrack_mms: tcph->seq = %u\n", tcph->seq);
-
- exp->seq = ntohl(tcph->seq) + (mms_string_b - data);
- exp_mms_info->len = (mms_string_e - mms_string_b);
- exp_mms_info->padding = (mms_padding_e - mms_string_e);
- exp_mms_info->port = mms_port;
-
- DEBUGP("ip_conntrack_mms: wrote info seq=%u (ofs=%u), len=%d, padding=%u\n",
- exp->seq, (mms_string_e - data), exp_mms_info->len, exp_mms_info->padding);
-
- exp->tuple = ((struct ip_conntrack_tuple)
- { { ct->tuplehash[!dir].tuple.src.ip, { 0 } },
- { mms_ip,
- { (__u16) ntohs(mms_port) },
- mms_proto } }
- );
- exp->mask = ((struct ip_conntrack_tuple)
- { { 0xFFFFFFFF, { 0 } },
- { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
- exp->expectfn = NULL;
- ip_conntrack_expect_related(ct, &expect);
- UNLOCK_BH(&ip_mms_lock);
- }
-
- return NF_ACCEPT;
-}
-
-static struct ip_conntrack_helper mms[MAX_PORTS];
-static char mms_names[MAX_PORTS][10];
-
-/* Not __exit: called from init() */
-static void fini(void)
-{
- int i;
- for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
- DEBUGP("ip_conntrack_mms: unregistering helper for port %d\n",
- ports[i]);
- ip_conntrack_helper_unregister(&mms[i]);
- }
-}
-
-static int __init init(void)
-{
- int i, ret;
- char *tmpname;
-
- if (ports[0] == 0)
- ports[0] = MMS_PORT;
-
- for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
- memset(&mms[i], 0, sizeof(struct ip_conntrack_helper));
- mms[i].tuple.src.u.tcp.port = htons(ports[i]);
- mms[i].tuple.dst.protonum = IPPROTO_TCP;
- mms[i].mask.src.u.tcp.port = 0xFFFF;
- mms[i].mask.dst.protonum = 0xFFFF;
- mms[i].max_expected = 1;
- mms[i].timeout = 0;
- mms[i].flags = IP_CT_HELPER_F_REUSE_EXPECT;
- mms[i].me = THIS_MODULE;
- mms[i].help = help;
-
- tmpname = &mms_names[i][0];
- if (ports[i] == MMS_PORT)
- sprintf(tmpname, "mms");
- else
- sprintf(tmpname, "mms-%d", ports[i]);
- mms[i].name = tmpname;
-
- DEBUGP("ip_conntrack_mms: registering helper for port %d\n",
- ports[i]);
- ret = ip_conntrack_helper_register(&mms[i]);
-
- if (ret) {
- fini();
- return ret;
- }
- ports_c++;
- }
- return 0;
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_pptp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_pptp.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_pptp.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_pptp.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,531 +0,0 @@
-/*
- * ip_conntrack_pptp.c - Version 1.11
- *
- * Connection tracking support for PPTP (Point to Point Tunneling Protocol).
- * PPTP is a a protocol for creating virtual private networks.
- * It is a specification defined by Microsoft and some vendors
- * working with Microsoft. PPTP is built on top of a modified
- * version of the Internet Generic Routing Encapsulation Protocol.
- * GRE is defined in RFC 1701 and RFC 1702. Documentation of
- * PPTP can be found in RFC 2637
- *
- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>,
- *
- * Development of this code funded by Astaro AG (http://www.astaro.com/)
- *
- * Limitations:
- * - We blindly assume that control connections are always
- * established in PNS->PAC direction. This is a violation
- * of RFFC2673
- *
- * TODO: - finish support for multiple calls within one session
- * (needs expect reservations in newnat)
- * - testing of incoming PPTP calls
- */
-
-#include <linux/config.h>
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/lockhelp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("Netfilter connection tracking helper module for PPTP");
-
-DECLARE_LOCK(ip_pptp_lock);
-
-#define DEBUGP(format, args...)
-
-#define SECS *HZ
-#define MINS * 60 SECS
-#define HOURS * 60 MINS
-#define DAYS * 24 HOURS
-
-#define PPTP_GRE_TIMEOUT (10 MINS)
-#define PPTP_GRE_STREAM_TIMEOUT (5 DAYS)
-
-static int pptp_expectfn(struct ip_conntrack *ct)
-{
- struct ip_conntrack_expect *exp, *other_exp;
- struct ip_conntrack *master;
-
- DEBUGP("increasing timeouts\n");
- /* increase timeout of GRE data channel conntrack entry */
- ct->proto.gre.timeout = PPTP_GRE_TIMEOUT;
- ct->proto.gre.stream_timeout = PPTP_GRE_STREAM_TIMEOUT;
-
- master = master_ct(ct);
- if (!master) {
- DEBUGP(" no master!!!\n");
- return 0;
- }
-
- DEBUGP("completing tuples with ct info\n");
- /* we can do this, since we're unconfirmed */
- if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.gre.key ==
- htonl(master->help.ct_pptp_info.pac_call_id)) {
- /* assume PNS->PAC */
- ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
- htonl(master->help.ct_pptp_info.pns_call_id);
- ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
- htonl(master->help.ct_pptp_info.pns_call_id);
- } else {
- /* assume PAC->PNS */
- ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
- htonl(master->help.ct_pptp_info.pac_call_id);
- ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
- htonl(master->help.ct_pptp_info.pns_call_id);
- }
-
- return 0;
-}
-
-/* timeout GRE data connections */
-static int pptp_timeout_related(struct ip_conntrack *ct)
-{
- struct list_head *cur_item;
- struct ip_conntrack_expect *exp;
-
- list_for_each(cur_item, &ct->sibling_list) {
- exp = list_entry(cur_item, struct ip_conntrack_expect,
- expected_list);
-
- if (!exp->sibling)
- continue;
-
- DEBUGP("setting timeout of conntrack %p to 0\n",
- exp->sibling);
- exp->sibling->proto.gre.timeout = 0;
- exp->sibling->proto.gre.stream_timeout = 0;
- ip_ct_refresh(exp->sibling, 0);
- }
-
- return 0;
-}
-
-/* expect GRE connection in PNS->PAC direction */
-static inline int
-exp_gre(struct ip_conntrack *master,
- u_int32_t seq,
- u_int16_t callid,
- u_int16_t peer_callid)
-{
- struct ip_conntrack_expect exp;
- struct ip_conntrack_tuple inv_tuple;
-
- memset(&exp, 0, sizeof(exp));
- /* tuple in original direction, PAC->PNS */
- exp.tuple.src.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
- exp.tuple.src.u.gre.key = htonl(ntohs(peer_callid));
- exp.tuple.dst.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
- exp.tuple.dst.u.gre.key = htonl(ntohs(callid));
- exp.tuple.dst.u.gre.protocol = __constant_htons(GRE_PROTOCOL_PPTP);
- exp.tuple.dst.u.gre.version = GRE_VERSION_PPTP;
- exp.tuple.dst.protonum = IPPROTO_GRE;
-
- exp.mask.src.ip = 0xffffffff;
- exp.mask.src.u.all = 0;
- exp.mask.dst.u.all = 0;
- exp.mask.dst.u.gre.key = 0xffffffff;
- exp.mask.dst.u.gre.version = 0xff;
- exp.mask.dst.u.gre.protocol = 0xffff;
- exp.mask.dst.ip = 0xffffffff;
- exp.mask.dst.protonum = 0xffff;
-
- exp.seq = seq;
- exp.expectfn = pptp_expectfn;
-
- exp.help.exp_pptp_info.pac_call_id = ntohs(callid);
- exp.help.exp_pptp_info.pns_call_id = ntohs(peer_callid);
-
- DEBUGP("calling expect_related ");
- DUMP_TUPLE_RAW(&exp.tuple);
-
- /* Add GRE keymap entries */
- ip_ct_gre_keymap_add(&exp, &exp.tuple, 0);
- invert_tuplepr(&inv_tuple, &exp.tuple);
- ip_ct_gre_keymap_add(&exp, &inv_tuple, 1);
-
- ip_conntrack_expect_related(master, &exp);
-
- return 0;
-}
-
-static inline int
-pptp_inbound_pkt(struct tcphdr *tcph,
- struct pptp_pkt_hdr *pptph,
- size_t datalen,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo)
-{
- struct PptpControlHeader *ctlh;
- union pptp_ctrl_union pptpReq;
-
- struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
- u_int16_t msg, *cid, *pcid;
- u_int32_t seq;
-
- ctlh = (struct PptpControlHeader *)
- ((char *) pptph + sizeof(struct pptp_pkt_hdr));
- pptpReq.rawreq = (void *)
- ((char *) ctlh + sizeof(struct PptpControlHeader));
-
- msg = ntohs(ctlh->messageType);
- DEBUGP("inbound control message %s\n", strMName[msg]);
-
- switch (msg) {
- case PPTP_START_SESSION_REPLY:
- /* server confirms new control session */
- if (info->sstate < PPTP_SESSION_REQUESTED) {
- DEBUGP("%s without START_SESS_REQUEST\n",
- strMName[msg]);
- break;
- }
- if (pptpReq.srep->resultCode == PPTP_START_OK)
- info->sstate = PPTP_SESSION_CONFIRMED;
- else
- info->sstate = PPTP_SESSION_ERROR;
- break;
-
- case PPTP_STOP_SESSION_REPLY:
- /* server confirms end of control session */
- if (info->sstate > PPTP_SESSION_STOPREQ) {
- DEBUGP("%s without STOP_SESS_REQUEST\n",
- strMName[msg]);
- break;
- }
- if (pptpReq.strep->resultCode == PPTP_STOP_OK)
- info->sstate = PPTP_SESSION_NONE;
- else
- info->sstate = PPTP_SESSION_ERROR;
- break;
-
- case PPTP_OUT_CALL_REPLY:
- /* server accepted call, we now expect GRE frames */
- if (info->sstate != PPTP_SESSION_CONFIRMED) {
- DEBUGP("%s but no session\n", strMName[msg]);
- break;
- }
- if (info->cstate != PPTP_CALL_OUT_REQ &&
- info->cstate != PPTP_CALL_OUT_CONF) {
- DEBUGP("%s without OUTCALL_REQ\n", strMName[msg]);
- break;
- }
- if (pptpReq.ocack->resultCode != PPTP_OUTCALL_CONNECT) {
- info->cstate = PPTP_CALL_NONE;
- break;
- }
-
- cid = &pptpReq.ocack->callID;
- pcid = &pptpReq.ocack->peersCallID;
-
- info->pac_call_id = ntohs(*cid);
-
- if (htons(info->pns_call_id) != *pcid) {
- DEBUGP("%s for unknown callid %u\n",
- strMName[msg], ntohs(*pcid));
- break;
- }
-
- DEBUGP("%s, CID=%X, PCID=%X\n", strMName[msg],
- ntohs(*cid), ntohs(*pcid));
-
- info->cstate = PPTP_CALL_OUT_CONF;
-
- seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph);
- exp_gre(ct, seq, *cid, *pcid);
- break;
-
- case PPTP_IN_CALL_REQUEST:
- /* server tells us about incoming call request */
- if (info->sstate != PPTP_SESSION_CONFIRMED) {
- DEBUGP("%s but no session\n", strMName[msg]);
- break;
- }
- pcid = &pptpReq.icack->peersCallID;
- DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid));
- info->cstate = PPTP_CALL_IN_REQ;
- info->pac_call_id= ntohs(*pcid);
- break;
-
- case PPTP_IN_CALL_CONNECT:
- /* server tells us about incoming call established */
- if (info->sstate != PPTP_SESSION_CONFIRMED) {
- DEBUGP("%s but no session\n", strMName[msg]);
- break;
- }
- if (info->sstate != PPTP_CALL_IN_REP
- && info->sstate != PPTP_CALL_IN_CONF) {
- DEBUGP("%s but never sent IN_CALL_REPLY\n",
- strMName[msg]);
- break;
- }
-
- pcid = &pptpReq.iccon->peersCallID;
- cid = &info->pac_call_id;
-
- if (info->pns_call_id != ntohs(*pcid)) {
- DEBUGP("%s for unknown CallID %u\n",
- strMName[msg], ntohs(*cid));
- break;
- }
-
- DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid));
- info->cstate = PPTP_CALL_IN_CONF;
-
- /* we expect a GRE connection from PAC to PNS */
- seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph);
- exp_gre(ct, seq, *cid, *pcid);
-
- break;
-
- case PPTP_CALL_DISCONNECT_NOTIFY:
- /* server confirms disconnect */
- cid = &pptpReq.disc->callID;
- DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid));
- info->cstate = PPTP_CALL_NONE;
-
- /* untrack this call id, unexpect GRE packets */
- pptp_timeout_related(ct);
- /* NEWNAT: look up exp for call id and unexpct_related */
- break;
-
- case PPTP_WAN_ERROR_NOTIFY:
- break;
-
- case PPTP_ECHO_REQUEST:
- case PPTP_ECHO_REPLY:
- /* I don't have to explain these ;) */
- break;
- default:
- DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX)
- ? strMName[msg]:strMName[0], msg);
- break;
- }
-
- return NF_ACCEPT;
-
-}
-
-static inline int
-pptp_outbound_pkt(struct tcphdr *tcph,
- struct pptp_pkt_hdr *pptph,
- size_t datalen,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo)
-{
- struct PptpControlHeader *ctlh;
- union pptp_ctrl_union pptpReq;
- struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
- u_int16_t msg, *cid, *pcid;
-
- ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
- pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh));
-
- msg = ntohs(ctlh->messageType);
- DEBUGP("outbound control message %s\n", strMName[msg]);
-
- switch (msg) {
- case PPTP_START_SESSION_REQUEST:
- /* client requests for new control session */
- if (info->sstate != PPTP_SESSION_NONE) {
- DEBUGP("%s but we already have one",
- strMName[msg]);
- }
- info->sstate = PPTP_SESSION_REQUESTED;
- break;
- case PPTP_STOP_SESSION_REQUEST:
- /* client requests end of control session */
- info->sstate = PPTP_SESSION_STOPREQ;
- break;
-
- case PPTP_OUT_CALL_REQUEST:
- /* client initiating connection to server */
- if (info->sstate != PPTP_SESSION_CONFIRMED) {
- DEBUGP("%s but no session\n",
- strMName[msg]);
- break;
- }
- info->cstate = PPTP_CALL_OUT_REQ;
- /* track PNS call id */
- cid = &pptpReq.ocreq->callID;
- DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid));
- info->pns_call_id = ntohs(*cid);
- break;
- case PPTP_IN_CALL_REPLY:
- /* client answers incoming call */
- if (info->cstate != PPTP_CALL_IN_REQ
- && info->cstate != PPTP_CALL_IN_REP) {
- DEBUGP("%s without incall_req\n",
- strMName[msg]);
- break;
- }
- if (pptpReq.icack->resultCode != PPTP_INCALL_ACCEPT) {
- info->cstate = PPTP_CALL_NONE;
- break;
- }
- pcid = &pptpReq.icack->peersCallID;
- if (info->pac_call_id != ntohs(*pcid)) {
- DEBUGP("%s for unknown call %u\n",
- strMName[msg], ntohs(*pcid));
- break;
- }
- DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*pcid));
- /* part two of the three-way handshake */
- info->cstate = PPTP_CALL_IN_REP;
- info->pns_call_id = ntohs(pptpReq.icack->callID);
- break;
-
- case PPTP_CALL_CLEAR_REQUEST:
- /* client requests hangup of call */
- if (info->sstate != PPTP_SESSION_CONFIRMED) {
- DEBUGP("CLEAR_CALL but no session\n");
- break;
- }
- /* FUTURE: iterate over all calls and check if
- * call ID is valid. We don't do this without newnat,
- * because we only know about last call */
- info->cstate = PPTP_CALL_CLEAR_REQ;
- break;
- case PPTP_SET_LINK_INFO:
- break;
- case PPTP_ECHO_REQUEST:
- case PPTP_ECHO_REPLY:
- /* I don't have to explain these ;) */
- break;
- default:
- DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX)?
- strMName[msg]:strMName[0], msg);
- /* unknown: no need to create GRE masq table entry */
- break;
- }
-
- return NF_ACCEPT;
-}
-
-
-/* track caller id inside control connection, call expect_related */
-static int
-conntrack_pptp_help(const struct iphdr *iph, size_t len,
- struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
-
-{
- struct pptp_pkt_hdr *pptph;
-
- struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
- u_int32_t tcplen = len - iph->ihl * 4;
- u_int32_t datalen = tcplen - tcph->doff * 4;
- void *datalimit;
- int dir = CTINFO2DIR(ctinfo);
- struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
-
- int oldsstate, oldcstate;
- int ret;
-
- /* don't do any tracking before tcp handshake complete */
- if (ctinfo != IP_CT_ESTABLISHED
- && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
- DEBUGP("ctinfo = %u, skipping\n", ctinfo);
- return NF_ACCEPT;
- }
-
- /* not a complete TCP header? */
- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) {
- DEBUGP("tcplen = %u\n", tcplen);
- return NF_ACCEPT;
- }
-
- /* checksum invalid? */
- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
- csum_partial((char *) tcph, tcplen, 0))) {
- printk(KERN_NOTICE __FILE__ ": bad csum\n");
-// return NF_ACCEPT;
- }
-
- if (tcph->fin || tcph->rst) {
- DEBUGP("RST/FIN received, timeouting GRE\n");
- /* can't do this after real newnat */
- info->cstate = PPTP_CALL_NONE;
-
- /* untrack this call id, unexpect GRE packets */
- pptp_timeout_related(ct);
- /* no need to call unexpect_related since master conn
- * dies anyway */
- }
-
-
- pptph = (struct pptp_pkt_hdr *) ((void *) tcph + tcph->doff * 4);
- datalimit = (void *) pptph + datalen;
-
- /* not a full pptp packet header? */
- if ((void *) pptph+sizeof(*pptph) >= datalimit) {
- DEBUGP("no full PPTP header, can't track\n");
- return NF_ACCEPT;
- }
-
- /* if it's not a control message we can't do anything with it */
- if (ntohs(pptph->packetType) != PPTP_PACKET_CONTROL ||
- ntohl(pptph->magicCookie) != PPTP_MAGIC_COOKIE) {
- DEBUGP("not a control packet\n");
- return NF_ACCEPT;
- }
-
- oldsstate = info->sstate;
- oldcstate = info->cstate;
-
- LOCK_BH(&ip_pptp_lock);
-
- if (dir == IP_CT_DIR_ORIGINAL)
- /* client -> server (PNS -> PAC) */
- ret = pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo);
- else
- /* server -> client (PAC -> PNS) */
- ret = pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo);
- DEBUGP("sstate: %d->%d, cstate: %d->%d\n",
- oldsstate, info->sstate, oldcstate, info->cstate);
- UNLOCK_BH(&ip_pptp_lock);
-
- return ret;
-}
-
-/* control protocol helper */
-static struct ip_conntrack_helper pptp = {
- { NULL, NULL },
- "pptp", IP_CT_HELPER_F_REUSE_EXPECT, THIS_MODULE, 2, 0,
- { { 0, { tcp: { port: __constant_htons(PPTP_CONTROL_PORT) } } },
- { 0, { 0 }, IPPROTO_TCP } },
- { { 0, { tcp: { port: 0xffff } } },
- { 0, { 0 }, 0xffff } },
- conntrack_pptp_help };
-
-/* ip_conntrack_pptp initialization */
-static int __init init(void)
-{
- int retcode;
-
- DEBUGP(__FILE__ ": registering helper\n");
- if ((retcode = ip_conntrack_helper_register(&pptp))) {
- printk(KERN_ERR "Unable to register conntrack application "
- "helper for pptp: %d\n", retcode);
- return -EIO;
- }
-
- return 0;
-}
-
-static void __exit fini(void)
-{
- ip_conntrack_helper_unregister(&pptp);
-}
-
-module_init(init);
-module_exit(fini);
-
-EXPORT_SYMBOL(ip_pptp_lock);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_pptp_priv.h src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_pptp_priv.h
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 1969-12-31 19:00:00.000000000 -0500
@@ -1,24 +0,0 @@
-#ifndef _IP_CT_PPTP_PRIV_H
-#define _IP_CT_PPTP_PRIV_H
-
-/* PptpControlMessageType names */
-static const char *strMName[] = {
- "UNKNOWN_MESSAGE",
- "START_SESSION_REQUEST",
- "START_SESSION_REPLY",
- "STOP_SESSION_REQUEST",
- "STOP_SESSION_REPLY",
- "ECHO_REQUEST",
- "ECHO_REPLY",
- "OUT_CALL_REQUEST",
- "OUT_CALL_REPLY",
- "IN_CALL_REQUEST",
- "IN_CALL_REPLY",
- "IN_CALL_CONNECT",
- "CALL_CLEAR_REQUEST",
- "CALL_DISCONNECT_NOTIFY",
- "WAN_ERROR_NOTIFY",
- "SET_LINK_INFO"
-};
-
-#endif
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_gre.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_gre.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,320 +0,0 @@
-/*
- * ip_conntrack_proto_gre.c - Version 1.11
- *
- * Connection tracking protocol helper module for GRE.
- *
- * GRE is a generic encapsulation protocol, which is generally not very
- * suited for NAT, as it has no protocol-specific part as port numbers.
- *
- * It has an optional key field, which may help us distinguishing two
- * connections between the same two hosts.
- *
- * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
- *
- * PPTP is built on top of a modified version of GRE, and has a mandatory
- * field called "CallID", which serves us for the same purpose as the key
- * field in plain GRE.
- *
- * Documentation about PPTP can be found in RFC 2637
- *
- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
- *
- * Development of this code funded by Astaro AG (http://www.astaro.com/)
- *
- */
-
-#include <linux/config.h>
-#include <linux/module.h>
-#include <linux/types.h>
-#include <linux/timer.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <linux/in.h>
-#include <linux/list.h>
-
-#include <linux/netfilter_ipv4/lockhelp.h>
-
-DECLARE_RWLOCK(ip_ct_gre_lock);
-#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_ct_gre_lock)
-#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_ct_gre_lock)
-
-#include <linux/netfilter_ipv4/listhelp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_core.h>
-
-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("netfilter connection tracking protocol helper for GRE");
-
-/* shamelessly stolen from ip_conntrack_proto_udp.c */
-#define GRE_TIMEOUT (30*HZ)
-#define GRE_STREAM_TIMEOUT (180*HZ)
-
-#define DEBUGP(x, args...)
-#define DUMP_TUPLE_GRE(x)
-
-/* GRE KEYMAP HANDLING FUNCTIONS */
-static LIST_HEAD(gre_keymap_list);
-
-static inline int gre_key_cmpfn(const struct ip_ct_gre_keymap *km,
- const struct ip_conntrack_tuple *t)
-{
- return ((km->tuple.src.ip == t->src.ip) &&
- (km->tuple.dst.ip == t->dst.ip) &&
- (km->tuple.dst.protonum == t->dst.protonum) &&
- (km->tuple.dst.u.all == t->dst.u.all));
-}
-
-/* look up the source key for a given tuple */
-static u_int32_t gre_keymap_lookup(struct ip_conntrack_tuple *t)
-{
- struct ip_ct_gre_keymap *km;
- u_int32_t key;
-
- READ_LOCK(&ip_ct_gre_lock);
- km = LIST_FIND(&gre_keymap_list, gre_key_cmpfn,
- struct ip_ct_gre_keymap *, t);
- if (!km) {
- READ_UNLOCK(&ip_ct_gre_lock);
- return 0;
- }
-
- key = km->tuple.src.u.gre.key;
- READ_UNLOCK(&ip_ct_gre_lock);
-
- return key;
-}
-
-/* add a single keymap entry, associate with specified expect */
-int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
- struct ip_conntrack_tuple *t, int reply)
-{
- struct ip_ct_gre_keymap *km;
-
- km = kmalloc(sizeof(*km), GFP_ATOMIC);
- if (!km)
- return -1;
-
- /* initializing list head should be sufficient */
- memset(km, 0, sizeof(*km));
-
- memcpy(&km->tuple, t, sizeof(*t));
- km->master = exp;
-
- if (!reply)
- exp->proto.gre.keymap_orig = km;
- else
- exp->proto.gre.keymap_reply = km;
-
- DEBUGP("adding new entry %p: ", km);
- DUMP_TUPLE_GRE(&km->tuple);
-
- WRITE_LOCK(&ip_ct_gre_lock);
- list_append(&gre_keymap_list, km);
- WRITE_UNLOCK(&ip_ct_gre_lock);
-
- return 0;
-}
-
-/* change the tuple of a keymap entry (used by nat helper) */
-void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km,
- struct ip_conntrack_tuple *t)
-{
- DEBUGP("changing entry %p to: ", km);
- DUMP_TUPLE_GRE(t);
-
- WRITE_LOCK(&ip_ct_gre_lock);
- memcpy(&km->tuple, t, sizeof(km->tuple));
- WRITE_UNLOCK(&ip_ct_gre_lock);
-}
-
-
-/* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */
-
-/* invert gre part of tuple */
-static int gre_invert_tuple(struct ip_conntrack_tuple *tuple,
- const struct ip_conntrack_tuple *orig)
-{
- tuple->dst.u.gre.protocol = orig->dst.u.gre.protocol;
- tuple->dst.u.gre.version = orig->dst.u.gre.version;
-
- tuple->dst.u.gre.key = orig->src.u.gre.key;
- tuple->src.u.gre.key = orig->dst.u.gre.key;
-
- return 1;
-}
-
-/* gre hdr info to tuple */
-static int gre_pkt_to_tuple(const void *datah, size_t datalen,
- struct ip_conntrack_tuple *tuple)
-{
- struct gre_hdr *grehdr = (struct gre_hdr *) datah;
- struct gre_hdr_pptp *pgrehdr = (struct gre_hdr_pptp *) datah;
- u_int32_t srckey;
-
- /* core guarantees 8 protocol bytes, no need for size check */
-
- tuple->dst.u.gre.version = grehdr->version;
- tuple->dst.u.gre.protocol = grehdr->protocol;
-
- switch (grehdr->version) {
- case GRE_VERSION_1701:
- if (!grehdr->key) {
- DEBUGP("Can't track GRE without key\n");
- return 0;
- }
- tuple->dst.u.gre.key = *(gre_key(grehdr));
- break;
-
- case GRE_VERSION_PPTP:
- if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) {
- DEBUGP("GRE_VERSION_PPTP but unknown proto\n");
- return 0;
- }
- tuple->dst.u.gre.key = htonl(ntohs(pgrehdr->call_id));
- break;
-
- default:
- printk(KERN_WARNING "unknown GRE version %hu\n",
- tuple->dst.u.gre.version);
- return 0;
- }
-
- srckey = gre_keymap_lookup(tuple);
-
- tuple->src.u.gre.key = srckey;
-
- return 1;
-}
-
-/* print gre part of tuple */
-static unsigned int gre_print_tuple(char *buffer,
- const struct ip_conntrack_tuple *tuple)
-{
- return sprintf(buffer, "version=%d protocol=0x%04x srckey=0x%x dstkey=0x%x ",
- tuple->dst.u.gre.version,
- ntohs(tuple->dst.u.gre.protocol),
- ntohl(tuple->src.u.gre.key),
- ntohl(tuple->dst.u.gre.key));
-}
-
-/* print private data for conntrack */
-static unsigned int gre_print_conntrack(char *buffer,
- const struct ip_conntrack *ct)
-{
- return sprintf(buffer, "timeout=%u, stream_timeout=%u ",
- (ct->proto.gre.timeout / HZ),
- (ct->proto.gre.stream_timeout / HZ));
-}
-
-/* Returns verdict for packet, and may modify conntrack */
-static int gre_packet(struct ip_conntrack *ct,
- struct iphdr *iph, size_t len,
- enum ip_conntrack_info conntrackinfo)
-{
- /* If we've seen traffic both ways, this is a GRE connection.
- * Extend timeout. */
- if (ct->status & IPS_SEEN_REPLY) {
- ip_ct_refresh(ct, ct->proto.gre.stream_timeout);
- /* Also, more likely to be important, and not a probe. */
- set_bit(IPS_ASSURED_BIT, &ct->status);
- } else
- ip_ct_refresh(ct, ct->proto.gre.timeout);
-
- return NF_ACCEPT;
-}
-
-/* Called when a new connection for this protocol found. */
-static int gre_new(struct ip_conntrack *ct,
- struct iphdr *iph, size_t len)
-{
- DEBUGP(": ");
- DUMP_TUPLE_GRE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
-
- /* initialize to sane value. Ideally a conntrack helper
- * (e.g. in case of pptp) is increasing them */
- ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT;
- ct->proto.gre.timeout = GRE_TIMEOUT;
-
- return 1;
-}
-
-/* Called when a conntrack entry has already been removed from the hashes
- * and is about to be deleted from memory */
-static void gre_destroy(struct ip_conntrack *ct)
-{
- struct ip_conntrack_expect *master = ct->master;
-
- DEBUGP(" entering\n");
-
- if (!master) {
- DEBUGP("no master exp for ct %p\n", ct);
- return;
- }
-
- WRITE_LOCK(&ip_ct_gre_lock);
- if (master->proto.gre.keymap_orig) {
- DEBUGP("removing %p from list\n", master->proto.gre.keymap_orig);
- list_del(&master->proto.gre.keymap_orig->list);
- kfree(master->proto.gre.keymap_orig);
- }
- if (master->proto.gre.keymap_reply) {
- DEBUGP("removing %p from list\n", master->proto.gre.keymap_reply);
- list_del(&master->proto.gre.keymap_reply->list);
- kfree(master->proto.gre.keymap_reply);
- }
- WRITE_UNLOCK(&ip_ct_gre_lock);
-}
-
-/* protocol helper struct */
-static struct ip_conntrack_protocol gre = { { NULL, NULL }, IPPROTO_GRE,
- "gre",
- gre_pkt_to_tuple,
- gre_invert_tuple,
- gre_print_tuple,
- gre_print_conntrack,
- gre_packet,
- gre_new,
- gre_destroy,
- NULL,
- THIS_MODULE };
-
-/* ip_conntrack_proto_gre initialization */
-static int __init init(void)
-{
- int retcode;
-
- if ((retcode = ip_conntrack_protocol_register(&gre))) {
- printk(KERN_ERR "Unable to register conntrack protocol "
- "helper for gre: %d\n", retcode);
- return -EIO;
- }
-
- return 0;
-}
-
-static void __exit fini(void)
-{
- struct list_head *pos, *n;
-
- /* delete all keymap entries */
- WRITE_LOCK(&ip_ct_gre_lock);
- list_for_each_safe(pos, n, &gre_keymap_list) {
- DEBUGP("deleting keymap %p\n", pos);
- list_del(pos);
- kfree(pos);
- }
- WRITE_UNLOCK(&ip_ct_gre_lock);
-
- ip_conntrack_protocol_unregister(&gre);
-}
-
-EXPORT_SYMBOL(ip_ct_gre_keymap_add);
-EXPORT_SYMBOL(ip_ct_gre_keymap_change);
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2003-08-12 07:33:45.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2004-05-09 04:13:03.000000000 -0400
@@ -15,11 +15,17 @@
#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
#include <linux/netfilter_ipv4/lockhelp.h>
+#if 0
+#define DEBUGP printk
+#else
#define DEBUGP(format, args...)
+#endif
/* Protects conntrack->proto.tcp */
static DECLARE_RWLOCK(tcp_lock);
+/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
+ closely. They're more complex. --RR */
/* Actually, I believe that neither ipmasq (where this code is stolen
from) nor ipfilter do it exactly right. A new conntrack machine taking
@@ -39,6 +45,25 @@
"LISTEN"
};
+#define SECS *HZ
+#define MINS * 60 SECS
+#define HOURS * 60 MINS
+#define DAYS * 24 HOURS
+
+
+static unsigned long tcp_timeouts[]
+= { 30 MINS, /* TCP_CONNTRACK_NONE, */
+ 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
+ 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
+ 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
+ 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
+ 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
+ 10 SECS, /* TCP_CONNTRACK_CLOSE, */
+ 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
+ 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
+ 2 MINS, /* TCP_CONNTRACK_LISTEN, */
+};
+
#define sNO TCP_CONNTRACK_NONE
#define sES TCP_CONNTRACK_ESTABLISHED
#define sSS TCP_CONNTRACK_SYN_SENT
@@ -161,13 +186,13 @@
&& tcph->syn && tcph->ack)
conntrack->proto.tcp.handshake_ack
= htonl(ntohl(tcph->seq) + 1);
+ WRITE_UNLOCK(&tcp_lock);
/* If only reply is a RST, we can consider ourselves not to
have an established connection: this is a fairly common
problem case, so we can delete the conntrack
immediately. --RR */
if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) {
- WRITE_UNLOCK(&tcp_lock);
if (del_timer(&conntrack->timeout))
conntrack->timeout.function((unsigned long)conntrack);
} else {
@@ -178,9 +203,7 @@
&& tcph->ack_seq == conntrack->proto.tcp.handshake_ack)
set_bit(IPS_ASSURED_BIT, &conntrack->status);
- WRITE_UNLOCK(&tcp_lock);
- ip_ct_refresh(conntrack,
- sysctl_ip_conntrack_tcp_timeouts[newconntrack]);
+ ip_ct_refresh(conntrack, tcp_timeouts[newconntrack]);
}
return NF_ACCEPT;
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_udp.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2003-08-12 07:33:45.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2004-05-09 04:13:03.000000000 -0400
@@ -5,7 +5,9 @@
#include <linux/in.h>
#include <linux/udp.h>
#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
-#include <linux/netfilter_ipv4/ip_conntrack_udp.h>
+
+#define UDP_TIMEOUT (30*HZ)
+#define UDP_STREAM_TIMEOUT (180*HZ)
static int udp_pkt_to_tuple(const void *datah, size_t datalen,
struct ip_conntrack_tuple *tuple)
@@ -50,13 +52,11 @@
/* If we've seen traffic both ways, this is some kind of UDP
stream. Extend timeout. */
if (conntrack->status & IPS_SEEN_REPLY) {
- ip_ct_refresh(conntrack,
- sysctl_ip_conntrack_udp_timeouts[UDP_STREAM_TIMEOUT]);
+ ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT);
/* Also, more likely to be important, and not a probe */
set_bit(IPS_ASSURED_BIT, &conntrack->status);
} else
- ip_ct_refresh(conntrack,
- sysctl_ip_conntrack_udp_timeouts[UDP_TIMEOUT]);
+ ip_ct_refresh(conntrack, UDP_TIMEOUT);
return NF_ACCEPT;
}
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_standalone.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_standalone.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-08-12 07:33:45.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-05-09 04:13:03.000000000 -0400
@@ -27,7 +27,11 @@
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
#include <linux/netfilter_ipv4/listhelp.h>
+#if 0
+#define DEBUGP printk
+#else
#define DEBUGP(format, args...)
+#endif
struct module *ip_conntrack_module = THIS_MODULE;
MODULE_LICENSE("GPL");
@@ -52,17 +56,12 @@
return len;
}
+/* FIXME: Don't print source proto part. --RR */
static unsigned int
print_expect(char *buffer, const struct ip_conntrack_expect *expect)
{
unsigned int len;
- if (!expect || !expect->expectant || !expect->expectant->helper) {
- DEBUGP("expect %x expect->expectant %x expect->expectant->helper %x\n",
- expect, expect->expectant, expect->expectant->helper);
- return 0;
- }
-
if (expect->expectant->helper->timeout)
len = sprintf(buffer, "EXPECTING: %lu ",
timer_pending(&expect->timeout)
@@ -294,6 +293,8 @@
return ret;
}
+/* FIXME: Allow NULL functions and sub in pointers to generic for
+ them. --RR */
int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
{
int ret = 0;
@@ -362,8 +363,6 @@
EXPORT_SYMBOL(ip_ct_find_proto);
EXPORT_SYMBOL(__ip_ct_find_proto);
EXPORT_SYMBOL(ip_ct_find_helper);
-EXPORT_SYMBOL(sysctl_ip_conntrack_tcp_timeouts);
-EXPORT_SYMBOL(sysctl_ip_conntrack_udp_timeouts);
EXPORT_SYMBOL(ip_conntrack_expect_related);
EXPORT_SYMBOL(ip_conntrack_change_expect);
EXPORT_SYMBOL(ip_conntrack_unexpect_related);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_tftp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_tftp.c
--- src/linux/linux/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_tftp.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,126 +0,0 @@
-/*
- * Licensed under GNU GPL version 2 Copyright Magnus Boden <mb@ozaba.mine.nu>
- * Version: 0.0.7
- *
- * Thu 21 Mar 2002 Harald Welte <laforge@gnumonks.org>
- * - port to newnat API
- *
- */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/udp.h>
-
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_tftp.h>
-
-MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>");
-MODULE_DESCRIPTION("Netfilter connection tracking module for tftp");
-MODULE_LICENSE("GPL");
-
-#define MAX_PORTS 8
-static int ports[MAX_PORTS];
-static int ports_c = 0;
-#ifdef MODULE_PARM
-MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
-MODULE_PARM_DESC(ports, "port numbers of tftp servers");
-#endif
-
-#define DEBUGP(format, args...)
-
-static int tftp_help(const struct iphdr *iph, size_t len,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo)
-{
- struct udphdr *udph = (void *)iph + iph->ihl * 4;
- struct tftphdr *tftph = (void *)udph + 8;
- struct ip_conntrack_expect exp;
-
- switch (ntohs(tftph->opcode)) {
- /* RRQ and WRQ works the same way */
- case TFTP_OPCODE_READ:
- case TFTP_OPCODE_WRITE:
- DEBUGP("");
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
- memset(&exp, 0, sizeof(exp));
-
- exp.tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
- exp.mask.src.ip = 0xffffffff;
- exp.mask.dst.ip = 0xffffffff;
- exp.mask.dst.u.udp.port = 0xffff;
- exp.mask.dst.protonum = 0xffff;
- exp.expectfn = NULL;
-
- DEBUGP("expect: ");
- DUMP_TUPLE(&exp.tuple);
- DUMP_TUPLE(&exp.mask);
- ip_conntrack_expect_related(ct, &exp);
- break;
- default:
- DEBUGP("Unknown opcode\n");
- }
- return NF_ACCEPT;
-}
-
-static struct ip_conntrack_helper tftp[MAX_PORTS];
-static char tftp_names[MAX_PORTS][10];
-
-static void fini(void)
-{
- int i;
-
- for (i = 0 ; i < ports_c; i++) {
- DEBUGP("unregistering helper for port %d\n",
- ports[i]);
- ip_conntrack_helper_unregister(&tftp[i]);
- }
-}
-
-static int __init init(void)
-{
- int i, ret;
- char *tmpname;
-
- if (!ports[0])
- ports[0]=TFTP_PORT;
-
- for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
- /* Create helper structure */
- memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
-
- tftp[i].tuple.dst.protonum = IPPROTO_UDP;
- tftp[i].tuple.src.u.udp.port = htons(ports[i]);
- tftp[i].mask.dst.protonum = 0xFFFF;
- tftp[i].mask.src.u.udp.port = 0xFFFF;
- tftp[i].max_expected = 1;
- tftp[i].timeout = 0;
- tftp[i].flags = IP_CT_HELPER_F_REUSE_EXPECT;
- tftp[i].me = THIS_MODULE;
- tftp[i].help = tftp_help;
-
- tmpname = &tftp_names[i][0];
- if (ports[i] == TFTP_PORT)
- sprintf(tmpname, "tftp");
- else
- sprintf(tmpname, "tftp-%d", i);
- tftp[i].name = tmpname;
-
- DEBUGP("port #%d: %d\n", i, ports[i]);
-
- ret=ip_conntrack_helper_register(&tftp[i]);
- if (ret) {
- printk("ERROR registering helper for port %d\n",
- ports[i]);
- fini();
- return(ret);
- }
- ports_c++;
- }
- return(0);
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_core.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_core.c
--- src/linux/linux/net/ipv4/netfilter/ip_nat_core.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_core.c 2004-05-09 04:13:03.000000000 -0400
@@ -31,7 +31,11 @@
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
#include <linux/netfilter_ipv4/listhelp.h>
+#if 0
+#define DEBUGP printk
+#else
#define DEBUGP(format, args...)
+#endif
DECLARE_RWLOCK(ip_nat_lock);
DECLARE_RWLOCK_EXTERN(ip_conntrack_lock);
@@ -207,6 +211,7 @@
{
struct rtable *rt;
+ /* FIXME: IPTOS_TOS(iph->tos) --RR */
if (ip_route_output(&rt, var_ip, 0, 0, 0) != 0) {
DEBUGP("do_extra_mangle: Can't get route to %u.%u.%u.%u\n",
NIPQUAD(var_ip));
@@ -429,7 +434,7 @@
*tuple = *orig_tuple;
while ((rptr = find_best_ips_proto_fast(tuple, mr, conntrack, hooknum))
!= NULL) {
- DEBUGP("Found best for "); DUMP_TUPLE_RAW(tuple);
+ DEBUGP("Found best for "); DUMP_TUPLE(tuple);
/* 3) The per-protocol part of the manip is made to
map into the range to make a unique tuple. */
@@ -529,6 +534,31 @@
invert_tuplepr(&orig_tp,
&conntrack->tuplehash[IP_CT_DIR_REPLY].tuple);
+#if 0
+ {
+ unsigned int i;
+
+ DEBUGP("Hook %u (%s), ", hooknum,
+ HOOK2MANIP(hooknum)==IP_NAT_MANIP_SRC ? "SRC" : "DST");
+ DUMP_TUPLE(&orig_tp);
+ DEBUGP("Range %p: ", mr);
+ for (i = 0; i < mr->rangesize; i++) {
+ DEBUGP("%u:%s%s%s %u.%u.%u.%u - %u.%u.%u.%u %u - %u\n",
+ i,
+ (mr->range[i].flags & IP_NAT_RANGE_MAP_IPS)
+ ? " MAP_IPS" : "",
+ (mr->range[i].flags
+ & IP_NAT_RANGE_PROTO_SPECIFIED)
+ ? " PROTO_SPECIFIED" : "",
+ (mr->range[i].flags & IP_NAT_RANGE_FULL)
+ ? " FULL" : "",
+ NIPQUAD(mr->range[i].min_ip),
+ NIPQUAD(mr->range[i].max_ip),
+ mr->range[i].min.all,
+ mr->range[i].max.all);
+ }
+ }
+#endif
do {
if (!get_unique_tuple(&new_tuple, &orig_tp, mr, conntrack,
@@ -538,6 +568,15 @@
return NF_DROP;
}
+#if 0
+ DEBUGP("Hook %u (%s) %p\n", hooknum,
+ HOOK2MANIP(hooknum)==IP_NAT_MANIP_SRC ? "SRC" : "DST",
+ conntrack);
+ DEBUGP("Original: ");
+ DUMP_TUPLE(&orig_tp);
+ DEBUGP("New: ");
+ DUMP_TUPLE(&new_tuple);
+#endif
/* We now have two tuples (SRCIP/SRCPT/DSTIP/DSTPT):
the original (A/B/C/D') and the mangled one (E/F/G/H').
@@ -554,6 +593,8 @@
If fail this race (reply tuple now used), repeat. */
} while (!ip_conntrack_alter_reply(conntrack, &reply));
+ /* FIXME: We can simply used existing conntrack reply tuple
+ here --RR */
/* Create inverse of original: C/D/A/B' */
invert_tuplepr(&inv_tuple, &orig_tp);
@@ -678,6 +719,17 @@
iph->check);
iph->daddr = manip->ip;
}
+#if 0
+ if (ip_fast_csum((u8 *)iph, iph->ihl) != 0)
+ DEBUGP("IP: checksum on packet bad.\n");
+
+ if (proto == IPPROTO_TCP) {
+ void *th = (u_int32_t *)iph + iph->ihl;
+ if (tcp_v4_check(th, len - 4*iph->ihl, iph->saddr, iph->daddr,
+ csum_partial((char *)th, len-4*iph->ihl, 0)))
+ DEBUGP("TCP: checksum on packet bad\n");
+ }
+#endif
}
static inline int exp_for_packet(struct ip_conntrack_expect *exp,
@@ -765,6 +817,7 @@
continue;
if (exp_for_packet(exp, pskb)) {
+ /* FIXME: May be true multiple times in the case of UDP!! */
DEBUGP("calling nat helper (exp=%p) for packet\n",
exp);
ret = helper->help(ct, exp, info, ctinfo,
@@ -926,6 +979,7 @@
INIT_LIST_HEAD(&byipsproto[i]);
}
+ /* FIXME: Man, this is a hack. <SIGH> */
IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_h323.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_h323.c
--- src/linux/linux/net/ipv4/netfilter/ip_nat_h323.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_h323.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,403 +0,0 @@
-/*
- * H.323 'brute force' extension for NAT alteration.
- * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project.
- * (http://www.coritel.it/projects/sofia/nat.html)
- * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind'
- * the unregistered helpers to the conntrack entries.
- */
-
-
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/lockhelp.h>
-#include <linux/netfilter_ipv4/ip_nat.h>
-#include <linux/netfilter_ipv4/ip_nat_helper.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
-#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
-
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("H.323 'brute force' connection tracking module");
-MODULE_LICENSE("GPL");
-
-DECLARE_LOCK_EXTERN(ip_h323_lock);
-struct module *ip_nat_h323 = THIS_MODULE;
-
-#define DEBUGP(format, args...)
-
-
-static unsigned int
-h225_nat_expected(struct sk_buff **pskb,
- unsigned int hooknum,
- struct ip_conntrack *ct,
- struct ip_nat_info *info);
-
-static unsigned int h225_nat_help(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum,
- struct sk_buff **pskb);
-
-static struct ip_nat_helper h245 =
- { { NULL, NULL },
- "H.245", /* name */
- 0, /* flags */
- NULL, /* module */
- { { 0, { 0 } }, /* tuple */
- { 0, { 0 }, IPPROTO_TCP } },
- { { 0, { 0xFFFF } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- h225_nat_help, /* helper */
- h225_nat_expected /* expectfn */
- };
-
-static unsigned int
-h225_nat_expected(struct sk_buff **pskb,
- unsigned int hooknum,
- struct ip_conntrack *ct,
- struct ip_nat_info *info)
-{
- struct ip_nat_multi_range mr;
- u_int32_t newdstip, newsrcip, newip;
- u_int16_t port;
- struct ip_ct_h225_expect *exp_info;
- struct ip_ct_h225_master *master_info;
- struct ip_conntrack *master = master_ct(ct);
- unsigned int is_h225, ret;
-
- IP_NF_ASSERT(info);
- IP_NF_ASSERT(master);
-
- IP_NF_ASSERT(!(info->initialized & (1<<HOOK2MANIP(hooknum))));
-
- DEBUGP("h225_nat_expected: We have a connection!\n");
- master_info = &ct->master->expectant->help.ct_h225_info;
- exp_info = &ct->master->help.exp_h225_info;
-
- LOCK_BH(&ip_h323_lock);
-
- DEBUGP("master: ");
- DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
- DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_REPLY].tuple);
- DEBUGP("conntrack: ");
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
- if (exp_info->dir == IP_CT_DIR_ORIGINAL) {
- /* Make connection go to the client. */
- newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
- newsrcip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
- DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to client)\n",
- NIPQUAD(newsrcip), NIPQUAD(newdstip));
- } else {
- /* Make the connection go to the server */
- newdstip = master->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip;
- newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
- DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to server)\n",
- NIPQUAD(newsrcip), NIPQUAD(newdstip));
- }
- port = exp_info->port;
- is_h225 = master_info->is_h225 == H225_PORT;
- UNLOCK_BH(&ip_h323_lock);
-
- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC)
- newip = newsrcip;
- else
- newip = newdstip;
-
- DEBUGP("h225_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip));
-
- mr.rangesize = 1;
- /* We don't want to manip the per-protocol, just the IPs... */
- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS;
- mr.range[0].min_ip = mr.range[0].max_ip = newip;
-
- /* ... unless we're doing a MANIP_DST, in which case, make
- sure we map to the correct port */
- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) {
- mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
- mr.range[0].min = mr.range[0].max
- = ((union ip_conntrack_manip_proto)
- { port });
- }
-
- ret = ip_nat_setup_info(ct, &mr, hooknum);
-
- if (is_h225) {
- DEBUGP("h225_nat_expected: H.225, setting NAT helper for %p\n", ct);
- /* NAT expectfn called with ip_nat_lock write-locked */
- info->helper = &h245;
- }
- return ret;
-}
-
-static int h323_signal_address_fixup(struct ip_conntrack *ct,
- struct sk_buff **pskb,
- enum ip_conntrack_info ctinfo)
-{
- struct iphdr *iph = (*pskb)->nh.iph;
- struct tcphdr *tcph = (void *)iph + iph->ihl*4;
- unsigned char *data;
- u_int32_t tcplen = (*pskb)->len - iph->ihl*4;
- u_int32_t datalen = tcplen - tcph->doff*4;
- struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
- u_int32_t newip;
- u_int16_t port;
- u_int8_t buffer[6];
- int i;
-
- MUST_BE_LOCKED(&ip_h323_lock);
-
- DEBUGP("h323_signal_address_fixup: %s %s\n",
- between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)
- ? "yes" : "no",
- between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)
- ? "yes" : "no");
- if (!(between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)
- || between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)))
- return 1;
-
- DEBUGP("h323_signal_address_fixup: offsets %u + 6 and %u + 6 in %u\n",
- info->offset[IP_CT_DIR_ORIGINAL],
- info->offset[IP_CT_DIR_REPLY],
- tcplen);
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-
- for (i = 0; i < IP_CT_DIR_MAX; i++) {
- DEBUGP("h323_signal_address_fixup: %s %s\n",
- info->dir == IP_CT_DIR_ORIGINAL ? "original" : "reply",
- i == IP_CT_DIR_ORIGINAL ? "caller" : "callee");
- if (!between(info->seq[i], ntohl(tcph->seq),
- ntohl(tcph->seq) + datalen))
- continue;
- if (!between(info->seq[i] + 6, ntohl(tcph->seq),
- ntohl(tcph->seq) + datalen)) {
- /* Partial retransmisison. It's a cracker being funky. */
- if (net_ratelimit()) {
- printk("H.323_NAT: partial packet %u/6 in %u/%u\n",
- info->seq[i],
- ntohl(tcph->seq),
- ntohl(tcph->seq) + datalen);
- }
- return 0;
- }
-
- /* Change address inside packet to match way we're mapping
- this connection. */
- if (i == IP_CT_DIR_ORIGINAL) {
- newip = ct->tuplehash[!info->dir].tuple.dst.ip;
- port = ct->tuplehash[!info->dir].tuple.dst.u.tcp.port;
- } else {
- newip = ct->tuplehash[!info->dir].tuple.src.ip;
- port = ct->tuplehash[!info->dir].tuple.src.u.tcp.port;
- }
-
- data = (char *) tcph + tcph->doff * 4 + info->offset[i];
-
- DEBUGP("h323_signal_address_fixup: orig %s IP:port %u.%u.%u.%u:%u\n",
- i == IP_CT_DIR_ORIGINAL ? "source" : "dest ",
- data[0], data[1], data[2], data[3],
- (data[4] << 8 | data[5]));
-
- /* Modify the packet */
- memcpy(buffer, &newip, 4);
- memcpy(buffer + 4, &port, 2);
- if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, info->offset[i],
- 6, buffer, 6))
- return 0;
-
- DEBUGP("h323_signal_address_fixup: new %s IP:port %u.%u.%u.%u:%u\n",
- i == IP_CT_DIR_ORIGINAL ? "source" : "dest ",
- data[0], data[1], data[2], data[3],
- (data[4] << 8 | data[5]));
- }
-
- return 1;
-}
-
-static int h323_data_fixup(struct ip_ct_h225_expect *info,
- struct ip_conntrack *ct,
- struct sk_buff **pskb,
- enum ip_conntrack_info ctinfo,
- struct ip_conntrack_expect *expect)
-{
- u_int32_t newip;
- u_int16_t port;
- u_int8_t buffer[6];
- struct ip_conntrack_tuple newtuple;
- struct iphdr *iph = (*pskb)->nh.iph;
- struct tcphdr *tcph = (void *)iph + iph->ihl*4;
- unsigned char *data;
- u_int32_t tcplen = (*pskb)->len - iph->ihl*4;
- struct ip_ct_h225_master *master_info = &ct->help.ct_h225_info;
- int is_h225;
-
- MUST_BE_LOCKED(&ip_h323_lock);
- DEBUGP("h323_data_fixup: offset %u + 6 in %u\n", info->offset, tcplen);
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-
- if (!between(expect->seq + 6, ntohl(tcph->seq),
- ntohl(tcph->seq) + tcplen - tcph->doff * 4)) {
- /* Partial retransmisison. It's a cracker being funky. */
- if (net_ratelimit()) {
- printk("H.323_NAT: partial packet %u/6 in %u/%u\n",
- expect->seq,
- ntohl(tcph->seq),
- ntohl(tcph->seq) + tcplen - tcph->doff * 4);
- }
- return 0;
- }
-
- /* Change address inside packet to match way we're mapping
- this connection. */
- if (info->dir == IP_CT_DIR_REPLY) {
- /* Must be where client thinks server is */
- newip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
- /* Expect something from client->server */
- newtuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
- newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
- } else {
- /* Must be where server thinks client is */
- newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
- /* Expect something from server->client */
- newtuple.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip;
- newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
- }
-
- is_h225 = (master_info->is_h225 == H225_PORT);
-
- if (is_h225) {
- newtuple.dst.protonum = IPPROTO_TCP;
- newtuple.src.u.tcp.port = expect->tuple.src.u.tcp.port;
- } else {
- newtuple.dst.protonum = IPPROTO_UDP;
- newtuple.src.u.udp.port = expect->tuple.src.u.udp.port;
- }
-
- /* Try to get same port: if not, try to change it. */
- for (port = ntohs(info->port); port != 0; port++) {
- if (is_h225)
- newtuple.dst.u.tcp.port = htons(port);
- else
- newtuple.dst.u.udp.port = htons(port);
-
- if (ip_conntrack_change_expect(expect, &newtuple) == 0)
- break;
- }
- if (port == 0) {
- DEBUGP("h323_data_fixup: no free port found!\n");
- return 0;
- }
-
- port = htons(port);
-
- data = (char *) tcph + tcph->doff * 4 + info->offset;
-
- DEBUGP("h323_data_fixup: orig IP:port %u.%u.%u.%u:%u\n",
- data[0], data[1], data[2], data[3],
- (data[4] << 8 | data[5]));
-
- /* Modify the packet */
- memcpy(buffer, &newip, 4);
- memcpy(buffer + 4, &port, 2);
- if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, info->offset,
- 6, buffer, 6))
- return 0;
-
- DEBUGP("h323_data_fixup: new IP:port %u.%u.%u.%u:%u\n",
- data[0], data[1], data[2], data[3],
- (data[4] << 8 | data[5]));
-
- return 1;
-}
-
-static unsigned int h225_nat_help(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum,
- struct sk_buff **pskb)
-{
- int dir;
- struct ip_ct_h225_expect *exp_info;
-
- /* Only mangle things once: original direction in POST_ROUTING
- and reply direction on PRE_ROUTING. */
- dir = CTINFO2DIR(ctinfo);
- DEBUGP("nat_h323: dir %s at hook %s\n",
- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
- || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
- DEBUGP("nat_h323: Not touching dir %s at hook %s\n",
- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
- return NF_ACCEPT;
- }
-
- if (!exp) {
- LOCK_BH(&ip_h323_lock);
- if (!h323_signal_address_fixup(ct, pskb, ctinfo)) {
- UNLOCK_BH(&ip_h323_lock);
- return NF_DROP;
- }
- UNLOCK_BH(&ip_h323_lock);
- return NF_ACCEPT;
- }
-
- exp_info = &exp->help.exp_h225_info;
-
- LOCK_BH(&ip_h323_lock);
- if (!h323_data_fixup(exp_info, ct, pskb, ctinfo, exp)) {
- UNLOCK_BH(&ip_h323_lock);
- return NF_DROP;
- }
- UNLOCK_BH(&ip_h323_lock);
-
- return NF_ACCEPT;
-}
-
-static struct ip_nat_helper h225 =
- { { NULL, NULL },
- "H.225", /* name */
- IP_NAT_HELPER_F_ALWAYS, /* flags */
- THIS_MODULE, /* module */
- { { 0, { __constant_htons(H225_PORT) } }, /* tuple */
- { 0, { 0 }, IPPROTO_TCP } },
- { { 0, { 0xFFFF } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- h225_nat_help, /* helper */
- h225_nat_expected /* expectfn */
- };
-
-static int __init init(void)
-{
- int ret;
-
- ret = ip_nat_helper_register(&h225);
-
- if (ret != 0)
- printk("ip_nat_h323: cannot initialize the module!\n");
-
- return ret;
-}
-
-static void __exit fini(void)
-{
- ip_nat_helper_unregister(&h225);
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_helper.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_helper.c
--- src/linux/linux/net/ipv4/netfilter/ip_nat_helper.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_helper.c 2004-05-09 04:13:03.000000000 -0400
@@ -8,9 +8,6 @@
* - add support for SACK adjustment
* 14 Mar 2002 Harald Welte <laforge@gnumonks.org>:
* - merge SACK support into newnat API
- * 16 Aug 2002 Brian J. Murrell <netfilter@interlinx.bc.ca>:
- * - make ip_nat_resize_packet more generic (TCP and UDP)
- * - add ip_nat_mangle_udp_packet
*/
#include <linux/version.h>
#include <linux/config.h>
@@ -25,7 +22,6 @@
#include <net/icmp.h>
#include <net/ip.h>
#include <net/tcp.h>
-#include <net/udp.h>
#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_nat_lock)
#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_nat_lock)
@@ -38,8 +34,13 @@
#include <linux/netfilter_ipv4/ip_nat_helper.h>
#include <linux/netfilter_ipv4/listhelp.h>
+#if 0
+#define DEBUGP printk
+#define DUMP_OFFSET(x) printk("offset_before=%d, offset_after=%d, correction_pos=%u\n", x->offset_before, x->offset_after, x->correction_pos);
+#else
#define DEBUGP(format, args...)
#define DUMP_OFFSET(x)
+#endif
DECLARE_LOCK(ip_nat_seqofs_lock);
@@ -50,12 +51,18 @@
int new_size)
{
struct iphdr *iph;
+ struct tcphdr *tcph;
+ void *data;
int dir;
struct ip_nat_seq *this_way, *other_way;
DEBUGP("ip_nat_resize_packet: old_size = %u, new_size = %u\n",
(*skb)->len, new_size);
+ iph = (*skb)->nh.iph;
+ tcph = (void *)iph + iph->ihl*4;
+ data = (void *)tcph + tcph->doff*4;
+
dir = CTINFO2DIR(ctinfo);
this_way = &ct->nat.info.seq[dir];
@@ -77,9 +84,8 @@
}
iph = (*skb)->nh.iph;
- if (iph->protocol == IPPROTO_TCP) {
- struct tcphdr *tcph = (void *)iph + iph->ihl*4;
- void *data = (void *)tcph + tcph->doff*4;
+ tcph = (void *)iph + iph->ihl*4;
+ data = (void *)tcph + tcph->doff*4;
DEBUGP("ip_nat_resize_packet: Seq_offset before: ");
DUMP_OFFSET(this_way);
@@ -95,20 +101,25 @@
this_way->correction_pos = ntohl(tcph->seq);
this_way->offset_before = this_way->offset_after;
this_way->offset_after = (int32_t)
- this_way->offset_before + new_size -
- (*skb)->len;
+ this_way->offset_before + new_size - (*skb)->len;
}
UNLOCK_BH(&ip_nat_seqofs_lock);
DEBUGP("ip_nat_resize_packet: Seq_offset after: ");
DUMP_OFFSET(this_way);
- }
return 1;
}
+/* Generic function for mangling variable-length address changes inside
+ * NATed connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX command in FTP).
+ *
+ * Takes care about all the nasty sequence number changes, checksumming,
+ * skb enlargement, ...
+ *
+ * */
int
ip_nat_mangle_tcp_packet(struct sk_buff **skb,
struct ip_conntrack *ct,
@@ -163,7 +174,6 @@
tcph = (void *)iph + iph->ihl*4;
data = (void *)tcph + tcph->doff*4;
- if (rep_len != match_len)
/* move post-replacement */
memmove(data + match_offset + rep_len,
data + match_offset + match_len,
@@ -198,104 +208,6 @@
return 1;
}
-int
-ip_nat_mangle_udp_packet(struct sk_buff **skb,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo,
- unsigned int match_offset,
- unsigned int match_len,
- char *rep_buffer,
- unsigned int rep_len)
-{
- struct iphdr *iph = (*skb)->nh.iph;
- struct udphdr *udph = (void *)iph + iph->ihl * 4;
- unsigned char *data;
- u_int32_t udplen, newlen, newudplen;
-
- udplen = (*skb)->len - iph->ihl*4;
- newudplen = udplen - match_len + rep_len;
- newlen = iph->ihl*4 + newudplen;
-
- if (newlen > 65535) {
- if (net_ratelimit())
- printk("ip_nat_mangle_udp_packet: nat'ed packet "
- "exceeds maximum packet size\n");
- return 0;
- }
-
- if ((*skb)->len != newlen) {
- if (!ip_nat_resize_packet(skb, ct, ctinfo, newlen)) {
- printk("resize_packet failed!!\n");
- return 0;
- }
- }
-
- /* Alexey says: if a hook changes _data_ ... it can break
- original packet sitting in tcp queue and this is fatal */
- if (skb_cloned(*skb)) {
- struct sk_buff *nskb = skb_copy(*skb, GFP_ATOMIC);
- if (!nskb) {
- if (net_ratelimit())
- printk("Out of memory cloning TCP packet\n");
- return 0;
- }
- /* Rest of kernel will get very unhappy if we pass it
- a suddenly-orphaned skbuff */
- if ((*skb)->sk)
- skb_set_owner_w(nskb, (*skb)->sk);
- kfree_skb(*skb);
- *skb = nskb;
- }
-
- /* skb may be copied !! */
- iph = (*skb)->nh.iph;
- udph = (void *)iph + iph->ihl*4;
- data = (void *)udph + sizeof(struct udphdr);
-
- if (rep_len != match_len)
- /* move post-replacement */
- memmove(data + match_offset + rep_len,
- data + match_offset + match_len,
- (*skb)->tail - (data + match_offset + match_len));
-
- /* insert data from buffer */
- memcpy(data + match_offset, rep_buffer, rep_len);
-
- /* update skb info */
- if (newlen > (*skb)->len) {
- DEBUGP("ip_nat_mangle_udp_packet: Extending packet by "
- "%u to %u bytes\n", newlen - (*skb)->len, newlen);
- skb_put(*skb, newlen - (*skb)->len);
- } else {
- DEBUGP("ip_nat_mangle_udp_packet: Shrinking packet from "
- "%u to %u bytes\n", (*skb)->len, newlen);
- skb_trim(*skb, newlen);
- }
-
- /* update the length of the UDP and IP packets to the new values*/
- udph->len = htons((*skb)->len - iph->ihl*4);
- iph->tot_len = htons(newlen);
-
- /* fix udp checksum if udp checksum was previously calculated */
- if ((*skb)->csum != 0) {
- (*skb)->csum = csum_partial((char *)udph +
- sizeof(struct udphdr),
- newudplen - sizeof(struct udphdr),
- 0);
-
- udph->check = 0;
- udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr,
- newudplen, IPPROTO_UDP,
- csum_partial((char *)udph,
- sizeof(struct udphdr),
- (*skb)->csum));
- }
-
- ip_send_check(iph);
-
- return 1;
-}
-
/* Adjust one found SACK option including checksum correction */
static void
sack_adjust(struct tcphdr *tcph,
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_mms.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_mms.c
--- src/linux/linux/net/ipv4/netfilter/ip_nat_mms.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_mms.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,330 +0,0 @@
-/* MMS extension for TCP NAT alteration.
- * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
- * based on ip_nat_ftp.c and ip_nat_irc.c
- *
- * ip_nat_mms.c v0.3 2002-09-22
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version
- * 2 of the License, or (at your option) any later version.
- *
- * Module load syntax:
- * insmod ip_nat_mms.o ports=port1,port2,...port<MAX_PORTS>
- *
- * Please give the ports of all MMS servers You wish to connect to.
- * If you don't specify ports, the default will be TCP port 1755.
- *
- * More info on MMS protocol, firewalls and NAT:
- * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp
- * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp
- *
- * The SDP project people are reverse-engineering MMS:
- * http://get.to/sdp
- */
-
-
-#include <linux/module.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/ip.h>
-#include <linux/tcp.h>
-#include <net/tcp.h>
-#include <linux/netfilter_ipv4/ip_nat.h>
-#include <linux/netfilter_ipv4/ip_nat_helper.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
-#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-
-#define DEBUGP(format, args...)
-#define DUMP_BYTES(address, counter)
-
-#define MAX_PORTS 8
-static int ports[MAX_PORTS];
-static int ports_c = 0;
-
-#ifdef MODULE_PARM
-MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
-#endif
-
-MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
-MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) NAT module");
-MODULE_LICENSE("GPL");
-
-DECLARE_LOCK_EXTERN(ip_mms_lock);
-
-
-static int mms_data_fixup(const struct ip_ct_mms_expect *ct_mms_info,
- struct ip_conntrack *ct,
- struct sk_buff **pskb,
- enum ip_conntrack_info ctinfo,
- struct ip_conntrack_expect *expect)
-{
- u_int32_t newip;
- struct ip_conntrack_tuple t;
- struct iphdr *iph = (*pskb)->nh.iph;
- struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
- char *data = (char *)tcph + tcph->doff * 4;
- int i, j, k, port;
- u_int16_t mms_proto;
-
- u_int32_t *mms_chunkLenLV = (u_int32_t *)(data + MMS_SRV_CHUNKLENLV_OFFSET);
- u_int32_t *mms_chunkLenLM = (u_int32_t *)(data + MMS_SRV_CHUNKLENLM_OFFSET);
- u_int32_t *mms_messageLength = (u_int32_t *)(data + MMS_SRV_MESSAGELENGTH_OFFSET);
-
- int zero_padding;
-
- char buffer[28]; /* "\\255.255.255.255\UDP\65635" * 2 (for unicode) */
- char unicode_buffer[75]; /* 27*2 (unicode) + 20 + 1 */
- char proto_string[6];
-
- MUST_BE_LOCKED(&ip_mms_lock);
-
- /* what was the protocol again ? */
- mms_proto = expect->tuple.dst.protonum;
- sprintf(proto_string, "%u", mms_proto);
-
- DEBUGP("ip_nat_mms: mms_data_fixup: info (seq %u + %u) in %u, proto %s\n",
- expect->seq, ct_mms_info->len, ntohl(tcph->seq),
- mms_proto == IPPROTO_UDP ? "UDP"
- : mms_proto == IPPROTO_TCP ? "TCP":proto_string);
-
- newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
-
- /* Alter conntrack's expectations. */
- t = expect->tuple;
- t.dst.ip = newip;
- for (port = ct_mms_info->port; port != 0; port++) {
- t.dst.u.tcp.port = htons(port);
- if (ip_conntrack_change_expect(expect, &t) == 0) {
- DEBUGP("ip_nat_mms: mms_data_fixup: using port %d\n", port);
- break;
- }
- }
-
- if(port == 0)
- return 0;
-
- sprintf(buffer, "\\\\%u.%u.%u.%u\\%s\\%u",
- NIPQUAD(newip),
- expect->tuple.dst.protonum == IPPROTO_UDP ? "UDP"
- : expect->tuple.dst.protonum == IPPROTO_TCP ? "TCP":proto_string,
- port);
- DEBUGP("ip_nat_mms: new unicode string=%s\n", buffer);
-
- memset(unicode_buffer, 0, sizeof(char)*75);
-
- for (i=0; i<strlen(buffer); ++i)
- *(unicode_buffer+i*2)=*(buffer+i);
-
- DEBUGP("ip_nat_mms: mms_data_fixup: padding: %u len: %u\n", ct_mms_info->padding, ct_mms_info->len);
- DEBUGP("ip_nat_mms: mms_data_fixup: offset: %u\n", MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len);
- DUMP_BYTES(data+MMS_SRV_UNICODE_STRING_OFFSET, 60);
-
- /* add end of packet to it */
- for (j=0; j<ct_mms_info->padding; ++j) {
- DEBUGP("ip_nat_mms: mms_data_fixup: i=%u j=%u byte=%u\n",
- i, j, (u8)*(data+MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len+j));
- *(unicode_buffer+i*2+j) = *(data+MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len+j);
- }
-
- /* pad with zeroes at the end ? see explanation of weird math below */
- zero_padding = (8-(strlen(buffer)*2 + ct_mms_info->padding + 4)%8)%8;
- for (k=0; k<zero_padding; ++k)
- *(unicode_buffer+i*2+j+k)= (char)0;
-
- DEBUGP("ip_nat_mms: mms_data_fixup: zero_padding = %u\n", zero_padding);
- DEBUGP("ip_nat_mms: original=> chunkLenLV=%u chunkLenLM=%u messageLength=%u\n",
- *mms_chunkLenLV, *mms_chunkLenLM, *mms_messageLength);
-
- /* explanation, before I forget what I did:
- strlen(buffer)*2 + ct_mms_info->padding + 4 must be divisable by 8;
- divide by 8 and add 3 to compute the mms_chunkLenLM field,
- but note that things may have to be padded with zeroes to align by 8
- bytes, hence we add 7 and divide by 8 to get the correct length */
- *mms_chunkLenLM = (u_int32_t) (3+(strlen(buffer)*2+ct_mms_info->padding+11)/8);
- *mms_chunkLenLV = *mms_chunkLenLM+2;
- *mms_messageLength = *mms_chunkLenLV*8;
-
- DEBUGP("ip_nat_mms: modified=> chunkLenLV=%u chunkLenLM=%u messageLength=%u\n",
- *mms_chunkLenLV, *mms_chunkLenLM, *mms_messageLength);
-
- ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
- expect->seq - ntohl(tcph->seq),
- ct_mms_info->len + ct_mms_info->padding, unicode_buffer,
- strlen(buffer)*2 + ct_mms_info->padding + zero_padding);
- DUMP_BYTES(unicode_buffer, 60);
-
- return 1;
-}
-
-static unsigned int
-mms_nat_expected(struct sk_buff **pskb,
- unsigned int hooknum,
- struct ip_conntrack *ct,
- struct ip_nat_info *info)
-{
- struct ip_nat_multi_range mr;
- u_int32_t newdstip, newsrcip, newip;
-
- struct ip_conntrack *master = master_ct(ct);
-
- IP_NF_ASSERT(info);
- IP_NF_ASSERT(master);
-
- IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum))));
-
- DEBUGP("ip_nat_mms: mms_nat_expected: We have a connection!\n");
-
- newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
- newsrcip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
- DEBUGP("ip_nat_mms: mms_nat_expected: hook %s: newsrc->newdst %u.%u.%u.%u->%u.%u.%u.%u\n",
- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???",
- NIPQUAD(newsrcip), NIPQUAD(newdstip));
-
- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC)
- newip = newsrcip;
- else
- newip = newdstip;
-
- DEBUGP("ip_nat_mms: mms_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip));
-
- mr.rangesize = 1;
- /* We don't want to manip the per-protocol, just the IPs. */
- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS;
- mr.range[0].min_ip = mr.range[0].max_ip = newip;
-
- return ip_nat_setup_info(ct, &mr, hooknum);
-}
-
-
-static unsigned int mms_nat_help(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum,
- struct sk_buff **pskb)
-{
- struct iphdr *iph = (*pskb)->nh.iph;
- struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
- unsigned int datalen;
- int dir;
- struct ip_ct_mms_expect *ct_mms_info;
-
- if (!exp)
- DEBUGP("ip_nat_mms: no exp!!");
-
- ct_mms_info = &exp->help.exp_mms_info;
-
- /* Only mangle things once: original direction in POST_ROUTING
- and reply direction on PRE_ROUTING. */
- dir = CTINFO2DIR(ctinfo);
- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
- ||(hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
- DEBUGP("ip_nat_mms: mms_nat_help: not touching dir %s at hook %s\n",
- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
- return NF_ACCEPT;
- }
- DEBUGP("ip_nat_mms: mms_nat_help: beyond not touching (dir %s at hook %s)\n",
- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
-
- datalen = (*pskb)->len - iph->ihl * 4 - tcph->doff * 4;
-
- DEBUGP("ip_nat_mms: mms_nat_help: %u+%u=%u %u %u\n", exp->seq, ct_mms_info->len,
- exp->seq + ct_mms_info->len,
- ntohl(tcph->seq),
- ntohl(tcph->seq) + datalen);
-
- LOCK_BH(&ip_mms_lock);
- /* Check wether the whole IP/proto/port pattern is carried in the payload */
- if (between(exp->seq + ct_mms_info->len,
- ntohl(tcph->seq),
- ntohl(tcph->seq) + datalen)) {
- if (!mms_data_fixup(ct_mms_info, ct, pskb, ctinfo, exp)) {
- UNLOCK_BH(&ip_mms_lock);
- return NF_DROP;
- }
- } else {
- /* Half a match? This means a partial retransmisison.
- It's a cracker being funky. */
- if (net_ratelimit()) {
- printk("ip_nat_mms: partial packet %u/%u in %u/%u\n",
- exp->seq, ct_mms_info->len,
- ntohl(tcph->seq),
- ntohl(tcph->seq) + datalen);
- }
- UNLOCK_BH(&ip_mms_lock);
- return NF_DROP;
- }
- UNLOCK_BH(&ip_mms_lock);
-
- return NF_ACCEPT;
-}
-
-static struct ip_nat_helper mms[MAX_PORTS];
-static char mms_names[MAX_PORTS][10];
-
-/* Not __exit: called from init() */
-static void fini(void)
-{
- int i;
-
- for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
- DEBUGP("ip_nat_mms: unregistering helper for port %d\n", ports[i]);
- ip_nat_helper_unregister(&mms[i]);
- }
-}
-
-static int __init init(void)
-{
- int i, ret = 0;
- char *tmpname;
-
- if (ports[0] == 0)
- ports[0] = MMS_PORT;
-
- for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
-
- memset(&mms[i], 0, sizeof(struct ip_nat_helper));
-
- mms[i].tuple.dst.protonum = IPPROTO_TCP;
- mms[i].tuple.src.u.tcp.port = htons(ports[i]);
- mms[i].mask.dst.protonum = 0xFFFF;
- mms[i].mask.src.u.tcp.port = 0xFFFF;
- mms[i].help = mms_nat_help;
- mms[i].me = THIS_MODULE;
- mms[i].flags = 0;
- mms[i].expect = mms_nat_expected;
-
- tmpname = &mms_names[i][0];
- if (ports[i] == MMS_PORT)
- sprintf(tmpname, "mms");
- else
- sprintf(tmpname, "mms-%d", i);
- mms[i].name = tmpname;
-
- DEBUGP("ip_nat_mms: register helper for port %d\n",
- ports[i]);
- ret = ip_nat_helper_register(&mms[i]);
-
- if (ret) {
- printk("ip_nat_mms: error registering "
- "helper for port %d\n", ports[i]);
- fini();
- return ret;
- }
- ports_c++;
- }
-
- return ret;
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_pptp.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_pptp.c
--- src/linux/linux/net/ipv4/netfilter/ip_nat_pptp.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_pptp.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,412 +0,0 @@
-/*
- * ip_nat_pptp.c - Version 1.11
- *
- * NAT support for PPTP (Point to Point Tunneling Protocol).
- * PPTP is a a protocol for creating virtual private networks.
- * It is a specification defined by Microsoft and some vendors
- * working with Microsoft. PPTP is built on top of a modified
- * version of the Internet Generic Routing Encapsulation Protocol.
- * GRE is defined in RFC 1701 and RFC 1702. Documentation of
- * PPTP can be found in RFC 2637
- *
- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
- *
- * Development of this code funded by Astaro AG (http://www.astaro.com/)
- *
- * TODO: - Support for multiple calls within one session
- * (needs netfilter newnat code)
- * - NAT to a unique tuple, not to TCP source port
- * (needs netfilter tuple reservation)
- * - Support other NAT scenarios than SNAT of PNS
- *
- */
-
-#include <linux/config.h>
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/tcp.h>
-#include <net/tcp.h>
-#include <linux/netfilter_ipv4/ip_nat.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
-#include <linux/netfilter_ipv4/ip_nat_helper.h>
-#include <linux/netfilter_ipv4/ip_nat_pptp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("Netfilter NAT helper module for PPTP");
-
-
-#define DEBUGP(format, args...)
-
-static unsigned int
-pptp_nat_expected(struct sk_buff **pskb,
- unsigned int hooknum,
- struct ip_conntrack *ct,
- struct ip_nat_info *info)
-{
- struct ip_conntrack *master = master_ct(ct);
- struct ip_nat_multi_range mr;
- struct ip_ct_pptp_master *ct_pptp_info;
- struct ip_nat_pptp *nat_pptp_info;
- u_int32_t newsrcip, newdstip, newcid;
- int ret;
-
- IP_NF_ASSERT(info);
- IP_NF_ASSERT(master);
- IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum))));
-
- DEBUGP("we have a connection!\n");
-
- LOCK_BH(&ip_pptp_lock);
- ct_pptp_info = &master->help.ct_pptp_info;
- nat_pptp_info = &master->nat.help.nat_pptp_info;
-
- /* need to alter GRE tuple because conntrack expectfn() used 'wrong'
- * (unmanipulated) values */
- if (hooknum == NF_IP_PRE_ROUTING) {
- DEBUGP("completing tuples with NAT info \n");
- /* we can do this, since we're unconfirmed */
- if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.gre.key ==
- htonl(ct_pptp_info->pac_call_id)) {
- /* assume PNS->PAC */
- ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
- htonl(nat_pptp_info->pns_call_id);
-// ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.gre.key =
-// htonl(nat_pptp_info->pac_call_id);
- ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
- htonl(nat_pptp_info->pns_call_id);
- } else {
- /* assume PAC->PNS */
- DEBUGP("WRONG DIRECTION\n");
- ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
- htonl(nat_pptp_info->pac_call_id);
- ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
- htonl(nat_pptp_info->pns_call_id);
- }
- }
-
- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) {
- newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
- newcid = htonl(master->nat.help.nat_pptp_info.pac_call_id);
-
- mr.rangesize = 1;
- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED;
- mr.range[0].min_ip = mr.range[0].max_ip = newdstip;
- mr.range[0].min = mr.range[0].max =
- ((union ip_conntrack_manip_proto ) { newcid });
- DEBUGP("change dest ip to %u.%u.%u.%u\n",
- NIPQUAD(newdstip));
- DEBUGP("change dest key to 0x%x\n", ntohl(newcid));
- ret = ip_nat_setup_info(ct, &mr, hooknum);
- } else {
- newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
- /* nat_multi_range is in network byte order, and GRE tuple
- * is 32 bits, not 16 like callID */
- newcid = htonl(master->help.ct_pptp_info.pns_call_id);
-
- mr.rangesize = 1;
- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS
- |IP_NAT_RANGE_PROTO_SPECIFIED;
- mr.range[0].min_ip = mr.range[0].max_ip = newsrcip;
- mr.range[0].min = mr.range[0].max =
- ((union ip_conntrack_manip_proto ) { newcid });
- DEBUGP("change src ip to %u.%u.%u.%u\n",
- NIPQUAD(newsrcip));
- DEBUGP("change 'src' key to 0x%x\n", ntohl(newcid));
- ret = ip_nat_setup_info(ct, &mr, hooknum);
- }
-
- UNLOCK_BH(&ip_pptp_lock);
-
- return ret;
-
-}
-
-/* outbound packets == from PNS to PAC */
-static inline unsigned int
-pptp_outbound_pkt(struct tcphdr *tcph, struct pptp_pkt_hdr *pptph,
- size_t datalen,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo,
- struct ip_conntrack_expect *exp)
-
-{
- struct PptpControlHeader *ctlh;
- union pptp_ctrl_union pptpReq;
- struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
- struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
-
- u_int16_t msg, *cid = NULL, new_callid;
-
- ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
- pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh));
-
- new_callid = htons(ct_pptp_info->pns_call_id);
-
- switch (msg = ntohs(ctlh->messageType)) {
- case PPTP_OUT_CALL_REQUEST:
- cid = &pptpReq.ocreq->callID;
-
- /* save original call ID in nat_info */
- nat_pptp_info->pns_call_id = ct_pptp_info->pns_call_id;
-
- new_callid = tcph->source;
- /* save new call ID in ct info */
- ct_pptp_info->pns_call_id = ntohs(new_callid);
- break;
- case PPTP_IN_CALL_REPLY:
- cid = &pptpReq.icreq->callID;
- break;
- case PPTP_CALL_CLEAR_REQUEST:
- cid = &pptpReq.clrreq->callID;
- break;
- case PPTP_CALL_DISCONNECT_NOTIFY:
- cid = &pptpReq.disc->callID;
- break;
-
- default:
- DEBUGP("unknown outbound packet 0x%04x:%s\n", msg,
- (msg <= PPTP_MSG_MAX)? strMName[msg]:strMName[0]);
- /* fall through */
-
- case PPTP_SET_LINK_INFO:
- /* only need to NAT in case PAC is behind NAT box */
- case PPTP_START_SESSION_REQUEST:
- case PPTP_START_SESSION_REPLY:
- case PPTP_STOP_SESSION_REQUEST:
- case PPTP_STOP_SESSION_REPLY:
- case PPTP_ECHO_REQUEST:
- case PPTP_ECHO_REPLY:
- /* no need to alter packet */
- return NF_ACCEPT;
- }
-
- IP_NF_ASSERT(cid);
-
- DEBUGP("altering call id from 0x%04x to 0x%04x\n",
- ntohs(*cid), ntohs(new_callid));
- /* mangle packet */
- tcph->check = ip_nat_cheat_check(*cid^0xFFFF,
- new_callid, tcph->check);
- *cid = new_callid;
-
- return NF_ACCEPT;
-}
-
-/* inbound packets == from PAC to PNS */
-static inline unsigned int
-pptp_inbound_pkt(struct tcphdr *tcph, struct pptp_pkt_hdr *pptph,
- size_t datalen,
- struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo,
- struct ip_conntrack_expect *oldexp)
-{
- struct PptpControlHeader *ctlh;
- union pptp_ctrl_union pptpReq;
- struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
- struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
-
- u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL;
- u_int32_t old_dst_ip;
-
- struct ip_conntrack_tuple t;
-
- ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
- pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh));
-
- new_pcid = htons(nat_pptp_info->pns_call_id);
-
- switch (msg = ntohs(ctlh->messageType)) {
- case PPTP_OUT_CALL_REPLY:
- pcid = &pptpReq.ocack->peersCallID;
- cid = &pptpReq.ocack->callID;
- if (!oldexp) {
- DEBUGP("outcall but no expectation\n");
- break;
- }
- old_dst_ip = oldexp->tuple.dst.ip;
- t = oldexp->tuple;
-
- /* save original PAC call ID in nat_info */
- nat_pptp_info->pac_call_id = ct_pptp_info->pac_call_id;
-
- /* store new callID in ct_info, so conntrack works */
- //ct_pptp_info->pac_call_id = ntohs(tcph->source);
- //new_cid = htons(ct_pptp_info->pac_call_id);
-
- /* alter expectation */
- if (t.dst.ip == ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip) {
- /* expectation for PNS->PAC direction */
- t.dst.u.gre.key = htonl(ct_pptp_info->pac_call_id);
- t.src.u.gre.key = htonl(nat_pptp_info->pns_call_id);
- } else {
- /* expectation for PAC->PNS direction */
- t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
- DEBUGP("EXPECTATION IN WRONG DIRECTION!!!\n");
- }
-
- if (!ip_conntrack_change_expect(oldexp, &t)) {
- DEBUGP("successfully changed expect\n");
- } else {
- DEBUGP("can't change expect\n");
- }
- ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_orig, &t);
- /* reply keymap */
- t.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip;
- t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
- t.src.u.gre.key = htonl(nat_pptp_info->pac_call_id);
- t.dst.u.gre.key = htonl(ct_pptp_info->pns_call_id);
- ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_reply, &t);
-
- break;
- case PPTP_IN_CALL_CONNECT:
- pcid = &pptpReq.iccon->peersCallID;
- if (!oldexp)
- break;
- old_dst_ip = oldexp->tuple.dst.ip;
- t = oldexp->tuple;
-
- /* alter expectation, no need for callID */
- if (t.dst.ip == ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip) {
- /* expectation for PNS->PAC direction */
- t.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
- } else {
- /* expectation for PAC->PNS direction */
- t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
- }
-
- if (!ip_conntrack_change_expect(oldexp, &t)) {
- DEBUGP("successfully changed expect\n");
- } else {
- DEBUGP("can't change expect\n");
- }
- break;
- case PPTP_IN_CALL_REQUEST:
- /* only need to nat in case PAC is behind NAT box */
- break;
- case PPTP_WAN_ERROR_NOTIFY:
- pcid = &pptpReq.wanerr->peersCallID;
- break;
- default:
- DEBUGP("unknown inbound packet %s\n",
- (msg <= PPTP_MSG_MAX)? strMName[msg]:strMName[0]);
- /* fall through */
-
- case PPTP_START_SESSION_REQUEST:
- case PPTP_START_SESSION_REPLY:
- case PPTP_STOP_SESSION_REQUEST:
- case PPTP_ECHO_REQUEST:
- case PPTP_ECHO_REPLY:
- /* no need to alter packet */
- return NF_ACCEPT;
- }
-
- /* mangle packet */
- IP_NF_ASSERT(pcid);
- DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
- ntohs(*pcid), ntohs(new_pcid));
- tcph->check = ip_nat_cheat_check(*pcid^0xFFFF,
- new_pcid, tcph->check);
- *pcid = new_pcid;
-
- if (new_cid) {
- IP_NF_ASSERT(cid);
- DEBUGP("altering call id from 0x%04x to 0x%04x\n",
- ntohs(*cid), ntohs(new_cid));
- tcph->check = ip_nat_cheat_check(*cid^0xFFFF,
- new_cid, tcph->check);
- *cid = new_cid;
- }
-
- /* great, at least we don't need to resize packets */
- return NF_ACCEPT;
-}
-
-
-static unsigned int tcp_help(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum, struct sk_buff **pskb)
-{
- struct iphdr *iph = (*pskb)->nh.iph;
- struct tcphdr *tcph = (void *) iph + iph->ihl*4;
- unsigned int datalen = (*pskb)->len - iph->ihl*4 - tcph->doff*4;
- struct pptp_pkt_hdr *pptph;
- void *datalimit;
-
- int dir;
-
- DEBUGP("entering\n");
-
- /* Only mangle things once: original direction in POST_ROUTING
- and reply direction on PRE_ROUTING. */
- dir = CTINFO2DIR(ctinfo);
- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
- || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
- DEBUGP("Not touching dir %s at hook %s\n",
- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
- return NF_ACCEPT;
- }
-
- /* if packet is too small, just skip it */
- if (datalen < sizeof(struct pptp_pkt_hdr)+
- sizeof(struct PptpControlHeader)) {
- DEBUGP("pptp packet too short\n");
- return NF_ACCEPT;
- }
-
-
- pptph = (struct pptp_pkt_hdr *) ((void *)tcph + tcph->doff*4);
- datalimit = (void *) pptph + datalen;
-
- LOCK_BH(&ip_pptp_lock);
-
- if (dir == IP_CT_DIR_ORIGINAL) {
- /* reuqests sent by client to server (PNS->PAC) */
- pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo, exp);
- } else {
- /* response from the server to the client (PAC->PNS) */
- pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo, exp);
- }
-
- UNLOCK_BH(&ip_pptp_lock);
-
- return NF_ACCEPT;
-}
-
-/* nat helper struct for control connection */
-static struct ip_nat_helper pptp_tcp_helper = {
- { NULL, NULL },
- "pptp", IP_NAT_HELPER_F_ALWAYS, THIS_MODULE,
- { { 0, { tcp: { port: __constant_htons(PPTP_CONTROL_PORT) } } },
- { 0, { 0 }, IPPROTO_TCP } },
- { { 0, { tcp: { port: 0xFFFF } } },
- { 0, { 0 }, 0xFFFF } },
- tcp_help, pptp_nat_expected };
-
-
-static int __init init(void)
-{
- DEBUGP("init_module\n" );
-
- if (ip_nat_helper_register(&pptp_tcp_helper))
- return -EIO;
-
- return 0;
-}
-
-static void __exit fini(void)
-{
- DEBUGP("cleanup_module\n" );
- ip_nat_helper_unregister(&pptp_tcp_helper);
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_proto_gre.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_proto_gre.c
--- src/linux/linux/net/ipv4/netfilter/ip_nat_proto_gre.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_proto_gre.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,212 +0,0 @@
-/*
- * ip_nat_proto_gre.c - Version 1.11
- *
- * NAT protocol helper module for GRE.
- *
- * GRE is a generic encapsulation protocol, which is generally not very
- * suited for NAT, as it has no protocol-specific part as port numbers.
- *
- * It has an optional key field, which may help us distinguishing two
- * connections between the same two hosts.
- *
- * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
- *
- * PPTP is built on top of a modified version of GRE, and has a mandatory
- * field called "CallID", which serves us for the same purpose as the key
- * field in plain GRE.
- *
- * Documentation about PPTP can be found in RFC 2637
- *
- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
- *
- * Development of this code funded by Astaro AG (http://www.astaro.com/)
- *
- */
-
-#include <linux/config.h>
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_nat.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
-#include <linux/netfilter_ipv4/ip_nat_protocol.h>
-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("Netfilter NAT protocol helper module for GRE");
-
-#define DEBUGP(x, args...)
-
-/* is key in given range between min and max */
-static int
-gre_in_range(const struct ip_conntrack_tuple *tuple,
- enum ip_nat_manip_type maniptype,
- const union ip_conntrack_manip_proto *min,
- const union ip_conntrack_manip_proto *max)
-{
- return ntohl(tuple->src.u.gre.key) >= ntohl(min->gre.key)
- && ntohl(tuple->src.u.gre.key) <= ntohl(max->gre.key);
-}
-
-/* generate unique tuple ... */
-static int
-gre_unique_tuple(struct ip_conntrack_tuple *tuple,
- const struct ip_nat_range *range,
- enum ip_nat_manip_type maniptype,
- const struct ip_conntrack *conntrack)
-{
- u_int32_t min, i, range_size;
- u_int32_t key = 0, *keyptr;
-
- if (maniptype == IP_NAT_MANIP_SRC)
- keyptr = &tuple->src.u.gre.key;
- else
- keyptr = &tuple->dst.u.gre.key;
-
- if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) {
-
- switch (tuple->dst.u.gre.version) {
- case 0:
- DEBUGP("NATing GRE version 0 (ct=%p)\n",
- conntrack);
- min = 1;
- range_size = 0xffffffff;
- break;
- case GRE_VERSION_PPTP:
- DEBUGP("%p: NATing GRE PPTP\n",
- conntrack);
- min = 1;
- range_size = 0xffff;
- break;
- default:
- printk(KERN_WARNING "nat_gre: unknown GRE version\n");
- return 0;
- break;
- }
-
- } else {
- min = ntohl(range->min.gre.key);
- range_size = ntohl(range->max.gre.key) - min + 1;
- }
-
- DEBUGP("min = %u, range_size = %u\n", min, range_size);
-
- for (i = 0; i < range_size; i++, key++) {
- *keyptr = htonl(min + key % range_size);
- if (!ip_nat_used_tuple(tuple, conntrack))
- return 1;
- }
-
- DEBUGP("%p: no NAT mapping\n", conntrack);
-
- return 0;
-}
-
-/* manipulate a GRE packet according to maniptype */
-static void
-gre_manip_pkt(struct iphdr *iph, size_t len,
- const struct ip_conntrack_manip *manip,
- enum ip_nat_manip_type maniptype)
-{
- struct gre_hdr *greh = (struct gre_hdr *)((u_int32_t *)iph+iph->ihl);
- struct gre_hdr_pptp *pgreh = (struct gre_hdr_pptp *) greh;
-
- /* we only have destination manip of a packet, since 'source key'
- * is not present in the packet itself */
- if (maniptype == IP_NAT_MANIP_DST) {
- /* key manipulation is always dest */
- switch (greh->version) {
- case 0:
- if (!greh->key) {
- DEBUGP("can't nat GRE w/o key\n");
- break;
- }
- if (greh->csum) {
- *(gre_csum(greh)) =
- ip_nat_cheat_check(~*(gre_key(greh)),
- manip->u.gre.key,
- *(gre_csum(greh)));
- }
- *(gre_key(greh)) = manip->u.gre.key;
- break;
- case GRE_VERSION_PPTP:
- DEBUGP("call_id -> 0x%04x\n",
- ntohl(manip->u.gre.key));
- pgreh->call_id = htons(ntohl(manip->u.gre.key));
- break;
- default:
- DEBUGP("can't nat unknown GRE version\n");
- break;
- }
- }
-}
-
-/* print out a nat tuple */
-static unsigned int
-gre_print(char *buffer,
- const struct ip_conntrack_tuple *match,
- const struct ip_conntrack_tuple *mask)
-{
- unsigned int len = 0;
-
- if (mask->dst.u.gre.version)
- len += sprintf(buffer + len, "version=%d ",
- ntohs(match->dst.u.gre.version));
-
- if (mask->dst.u.gre.protocol)
- len += sprintf(buffer + len, "protocol=0x%x ",
- ntohs(match->dst.u.gre.protocol));
-
- if (mask->src.u.gre.key)
- len += sprintf(buffer + len, "srckey=0x%x ",
- ntohl(match->src.u.gre.key));
-
- if (mask->dst.u.gre.key)
- len += sprintf(buffer + len, "dstkey=0x%x ",
- ntohl(match->src.u.gre.key));
-
- return len;
-}
-
-/* print a range of keys */
-static unsigned int
-gre_print_range(char *buffer, const struct ip_nat_range *range)
-{
- if (range->min.gre.key != 0
- || range->max.gre.key != 0xFFFF) {
- if (range->min.gre.key == range->max.gre.key)
- return sprintf(buffer, "key 0x%x ",
- ntohl(range->min.gre.key));
- else
- return sprintf(buffer, "keys 0x%u-0x%u ",
- ntohl(range->min.gre.key),
- ntohl(range->max.gre.key));
- } else
- return 0;
-}
-
-/* nat helper struct */
-static struct ip_nat_protocol gre =
- { { NULL, NULL }, "GRE", IPPROTO_GRE,
- gre_manip_pkt,
- gre_in_range,
- gre_unique_tuple,
- gre_print,
- gre_print_range
- };
-
-static int __init init(void)
-{
- if (ip_nat_protocol_register(&gre))
- return -EIO;
-
- return 0;
-}
-
-static void __exit fini(void)
-{
- ip_nat_protocol_unregister(&gre);
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_standalone.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_standalone.c
--- src/linux/linux/net/ipv4/netfilter/ip_nat_standalone.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_standalone.c 2004-05-09 04:13:03.000000000 -0400
@@ -37,7 +37,11 @@
#include <linux/netfilter_ipv4/ip_conntrack_core.h>
#include <linux/netfilter_ipv4/listhelp.h>
+#if 0
+#define DEBUGP printk
+#else
#define DEBUGP(format, args...)
+#endif
#define HOOKNAME(hooknum) ((hooknum) == NF_IP_POST_ROUTING ? "POST_ROUTING" \
: ((hooknum) == NF_IP_PRE_ROUTING ? "PRE_ROUTING" \
@@ -354,6 +358,5 @@
EXPORT_SYMBOL(ip_nat_helper_unregister);
EXPORT_SYMBOL(ip_nat_cheat_check);
EXPORT_SYMBOL(ip_nat_mangle_tcp_packet);
-EXPORT_SYMBOL(ip_nat_mangle_udp_packet);
EXPORT_SYMBOL(ip_nat_used_tuple);
MODULE_LICENSE("GPL");
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_tftp.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_tftp.c
--- src/linux/linux/net/ipv4/netfilter/ip_nat_tftp.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_tftp.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,186 +0,0 @@
-/*
- * Licensed under GNU GPL version 2 Copyright Magnus Boden <mb@ozaba.mine.nu>
- * Version: 0.0.7
- *
- * Thu 21 Mar 2002 Harald Welte <laforge@gnumonks.org>
- * - Port to newnat API
- *
- * This module currently supports DNAT:
- * iptables -t nat -A PREROUTING -d x.x.x.x -j DNAT --to-dest x.x.x.y
- *
- * and SNAT:
- * iptables -t nat -A POSTROUTING { -j MASQUERADE , -j SNAT --to-source x.x.x.x }
- *
- * It has not been tested with
- * -j SNAT --to-source x.x.x.x-x.x.x.y since I only have one external ip
- * If you do test this please let me know if it works or not.
- *
- */
-
-#include <linux/module.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/ip.h>
-#include <linux/udp.h>
-
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_tftp.h>
-#include <linux/netfilter_ipv4/ip_nat_helper.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
-
-MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>");
-MODULE_DESCRIPTION("Netfilter NAT helper for tftp");
-MODULE_LICENSE("GPL");
-
-#define MAX_PORTS 8
-
-static int ports[MAX_PORTS];
-static int ports_c = 0;
-#ifdef MODULE_PARM
-MODULE_PARM(ports,"1-" __MODULE_STRING(MAX_PORTS) "i");
-MODULE_PARM_DESC(ports, "port numbers of tftp servers");
-#endif
-
-#define DEBUGP(format, args...)
-static unsigned int
-tftp_nat_help(struct ip_conntrack *ct,
- struct ip_conntrack_expect *exp,
- struct ip_nat_info *info,
- enum ip_conntrack_info ctinfo,
- unsigned int hooknum,
- struct sk_buff **pskb)
-{
- int dir = CTINFO2DIR(ctinfo);
- struct iphdr *iph = (*pskb)->nh.iph;
- struct udphdr *udph = (void *)iph + iph->ihl * 4;
- struct tftphdr *tftph = (void *)udph + 8;
- struct ip_conntrack_tuple repl;
-
- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
- || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY)))
- return NF_ACCEPT;
-
- if (!exp) {
- DEBUGP("no conntrack expectation to modify\n");
- return NF_ACCEPT;
- }
-
- switch (ntohs(tftph->opcode)) {
- /* RRQ and WRQ works the same way */
- case TFTP_OPCODE_READ:
- case TFTP_OPCODE_WRITE:
- repl = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
- DEBUGP("");
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
- DEBUGP("expecting: ");
- DUMP_TUPLE_RAW(&repl);
- DUMP_TUPLE_RAW(&exp->mask);
- ip_conntrack_change_expect(exp, &repl);
- break;
- default:
- DEBUGP("Unknown opcode\n");
- }
-
- return NF_ACCEPT;
-}
-
-static unsigned int
-tftp_nat_expected(struct sk_buff **pskb,
- unsigned int hooknum,
- struct ip_conntrack *ct,
- struct ip_nat_info *info)
-{
- const struct ip_conntrack *master = ct->master->expectant;
- const struct ip_conntrack_tuple *orig =
- &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
- struct ip_nat_multi_range mr;
-
- IP_NF_ASSERT(info);
- IP_NF_ASSERT(master);
- IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum))));
-
- mr.rangesize = 1;
- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS;
-
- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) {
- mr.range[0].min_ip = mr.range[0].max_ip = orig->dst.ip;
- DEBUGP("orig: %u.%u.%u.%u:%u <-> %u.%u.%u.%u:%u "
- "newsrc: %u.%u.%u.%u\n",
- NIPQUAD((*pskb)->nh.iph->saddr), ntohs(udph->source),
- NIPQUAD((*pskb)->nh.iph->daddr), ntohs(udph->dest),
- NIPQUAD(orig->dst.ip));
- } else {
- mr.range[0].min_ip = mr.range[0].max_ip = orig->src.ip;
- mr.range[0].min.udp.port = mr.range[0].max.udp.port =
- orig->src.u.udp.port;
- mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
-
- DEBUGP("orig: %u.%u.%u.%u:%u <-> %u.%u.%u.%u:%u "
- "newdst: %u.%u.%u.%u:%u\n",
- NIPQUAD((*pskb)->nh.iph->saddr), ntohs(udph->source),
- NIPQUAD((*pskb)->nh.iph->daddr), ntohs(udph->dest),
- NIPQUAD(orig->src.ip), ntohs(orig->src.u.udp.port));
- }
-
- return ip_nat_setup_info(ct,&mr,hooknum);
-}
-
-static struct ip_nat_helper tftp[MAX_PORTS];
-static char tftp_names[MAX_PORTS][10];
-
-static void fini(void)
-{
- int i;
-
- for (i = 0 ; i < ports_c; i++) {
- DEBUGP("unregistering helper for port %d\n", ports[i]);
- ip_nat_helper_unregister(&tftp[i]);
- }
-}
-
-static int __init init(void)
-{
- int i, ret;
- char *tmpname;
-
- if (!ports[0])
- ports[0] = TFTP_PORT;
-
- for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
- memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
-
- tftp[i].tuple.dst.protonum = IPPROTO_UDP;
- tftp[i].tuple.src.u.udp.port = htons(ports[i]);
- tftp[i].mask.dst.protonum = 0xFFFF;
- tftp[i].mask.src.u.udp.port = 0xFFFF;
- tftp[i].help = tftp_nat_help;
- tftp[i].flags = 0;
- tftp[i].me = THIS_MODULE;
- tftp[i].expect = tftp_nat_expected;
-
- tmpname = &tftp_names[i][0];
- if (ports[i] == TFTP_PORT)
- sprintf(tmpname, "tftp");
- else
- sprintf(tmpname, "tftp-%d", i);
- tftp[i].name = tmpname;
-
- DEBUGP("ip_nat_tftp: registering for port %d: name %s\n",
- ports[i], tftp[i].name);
- ret = ip_nat_helper_register(&tftp[i]);
-
- if (ret) {
- printk("ip_nat_tftp: unable to register for port %d\n",
- ports[i]);
- fini();
- return ret;
- }
- ports_c++;
- }
- return ret;
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_pool.c src/linux/linux.stock/net/ipv4/netfilter/ip_pool.c
--- src/linux/linux/net/ipv4/netfilter/ip_pool.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_pool.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,328 +0,0 @@
-/* Kernel module for IP pool management */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_pool.h>
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/interrupt.h>
-#include <linux/spinlock.h>
-
-#define DP(format, args...)
-
-MODULE_LICENSE("GPL");
-
-#define NR_POOL 16
-static int nr_pool = NR_POOL;/* overwrite this when loading module */
-
-struct ip_pool {
- u_int32_t first_ip; /* host byte order, included in range */
- u_int32_t last_ip; /* host byte order, included in range */
- void *members; /* the bitmap proper */
- int nr_use; /* total nr. of tests through this */
- int nr_match; /* total nr. of matches through this */
- rwlock_t lock;
-};
-
-static struct ip_pool *POOL;
-
-static inline struct ip_pool *lookup(ip_pool_t index)
-{
- if (index < 0 || index >= nr_pool) {
- DP("ip_pool:lookup: bad index %d\n", index);
- return 0;
- }
- return POOL+index;
-}
-
-int ip_pool_match(ip_pool_t index, u_int32_t addr)
-{
- struct ip_pool *pool = lookup(index);
- int res = 0;
-
- if (!pool || !pool->members)
- return 0;
- read_lock_bh(&pool->lock);
- if (pool->members) {
- if (addr >= pool->first_ip && addr <= pool->last_ip) {
- addr -= pool->first_ip;
- if (test_bit(addr, pool->members)) {
- res = 1;
-#ifdef CONFIG_IP_POOL_STATISTICS
- pool->nr_match++;
-#endif
- }
- }
-#ifdef CONFIG_IP_POOL_STATISTICS
- pool->nr_use++;
-#endif
- }
- read_unlock_bh(&pool->lock);
- return res;
-}
-
-static int pool_change(ip_pool_t index, u_int32_t addr, int isdel)
-{
- struct ip_pool *pool;
- int res = -1;
-
- pool = lookup(index);
- if ( !pool || !pool->members
- || addr < pool->first_ip || addr > pool->last_ip)
- return -1;
- read_lock_bh(&pool->lock);
- if (pool->members && addr >= pool->first_ip && addr <= pool->last_ip) {
- addr -= pool->first_ip;
- res = isdel
- ? (0 != test_and_clear_bit(addr, pool->members))
- : (0 != test_and_set_bit(addr, pool->members));
- }
- read_unlock_bh(&pool->lock);
- return res;
-}
-
-int ip_pool_mod(ip_pool_t index, u_int32_t addr, int isdel)
-{
- int res = pool_change(index,addr,isdel);
-
- if (!isdel) res = !res;
- return res;
-}
-
-static inline int bitmap_bytes(u_int32_t a, u_int32_t b)
-{
- return 4*((((b-a+8)/8)+3)/4);
-}
-
-static inline int poolbytes(ip_pool_t index)
-{
- struct ip_pool *pool = lookup(index);
-
- return pool ? bitmap_bytes(pool->first_ip, pool->last_ip) : 0;
-}
-
-static int setpool(
- struct sock *sk,
- int optval,
- void *user,
- unsigned int len
-) {
- struct ip_pool_request req;
-
- DP("ip_pool:setpool: optval=%d, user=%p, len=%d\n", optval, user, len);
- if (!capable(CAP_NET_ADMIN))
- return -EPERM;
- if (optval != SO_IP_POOL)
- return -EBADF;
- if (len != sizeof(req))
- return -EINVAL;
- if (copy_from_user(&req, user, sizeof(req)) != 0)
- return -EFAULT;
- printk("obsolete op - upgrade your ippool(8) utility.\n");
- return -EINVAL;
-}
-
-static int getpool(
- struct sock *sk,
- int optval,
- void *user,
- int *len
-) {
- struct ip_pool_request req;
- struct ip_pool *pool;
- ip_pool_t i;
- int newbytes;
- void *newmembers;
- int res;
-
- DP("ip_pool:getpool: optval=%d, user=%p\n", optval, user);
- if (!capable(CAP_NET_ADMIN))
- return -EINVAL;
- if (optval != SO_IP_POOL)
- return -EINVAL;
- if (*len != sizeof(req)) {
- return -EFAULT;
- }
- if (copy_from_user(&req, user, sizeof(req)) != 0)
- return -EFAULT;
- DP("ip_pool:getpool op=%d, index=%d\n", req.op, req.index);
- if (req.op < IP_POOL_BAD001) {
- printk("obsolete op - upgrade your ippool(8) utility.\n");
- return -EFAULT;
- }
- switch(req.op) {
- case IP_POOL_HIGH_NR:
- DP("ip_pool HIGH_NR\n");
- req.index = IP_POOL_NONE;
- for (i=0; i<nr_pool; i++)
- if (POOL[i].members)
- req.index = i;
- return copy_to_user(user, &req, sizeof(req));
- case IP_POOL_LOOKUP:
- DP("ip_pool LOOKUP\n");
- pool = lookup(req.index);
- if (!pool)
- return -EINVAL;
- if (!pool->members)
- return -EBADF;
- req.addr = htonl(pool->first_ip);
- req.addr2 = htonl(pool->last_ip);
- return copy_to_user(user, &req, sizeof(req));
- case IP_POOL_USAGE:
- DP("ip_pool USE\n");
- pool = lookup(req.index);
- if (!pool)
- return -EINVAL;
- if (!pool->members)
- return -EBADF;
- req.addr = pool->nr_use;
- req.addr2 = pool->nr_match;
- return copy_to_user(user, &req, sizeof(req));
- case IP_POOL_TEST_ADDR:
- DP("ip_pool TEST 0x%08x\n", req.addr);
- pool = lookup(req.index);
- if (!pool)
- return -EINVAL;
- res = 0;
- read_lock_bh(&pool->lock);
- if (!pool->members) {
- DP("ip_pool TEST_ADDR no members in pool\n");
- res = -EBADF;
- goto unlock_and_return_res;
- }
- req.addr = ntohl(req.addr);
- if (req.addr < pool->first_ip) {
- DP("ip_pool TEST_ADDR address < pool bounds\n");
- res = -ERANGE;
- goto unlock_and_return_res;
- }
- if (req.addr > pool->last_ip) {
- DP("ip_pool TEST_ADDR address > pool bounds\n");
- res = -ERANGE;
- goto unlock_and_return_res;
- }
- req.addr = (0 != test_bit((req.addr - pool->first_ip),
- pool->members));
- read_unlock_bh(&pool->lock);
- return copy_to_user(user, &req, sizeof(req));
- case IP_POOL_FLUSH:
- DP("ip_pool FLUSH not yet implemented.\n");
- return -EBUSY;
- case IP_POOL_DESTROY:
- DP("ip_pool DESTROY not yet implemented.\n");
- return -EBUSY;
- case IP_POOL_INIT:
- DP("ip_pool INIT 0x%08x-0x%08x\n", req.addr, req.addr2);
- pool = lookup(req.index);
- if (!pool)
- return -EINVAL;
- req.addr = ntohl(req.addr);
- req.addr2 = ntohl(req.addr2);
- if (req.addr > req.addr2) {
- DP("ip_pool INIT bad ip range\n");
- return -EINVAL;
- }
- newbytes = bitmap_bytes(req.addr, req.addr2);
- newmembers = kmalloc(newbytes, GFP_KERNEL);
- if (!newmembers) {
- DP("ip_pool INIT out of mem for %d bytes\n", newbytes);
- return -ENOMEM;
- }
- memset(newmembers, 0, newbytes);
- write_lock_bh(&pool->lock);
- if (pool->members) {
- DP("ip_pool INIT pool %d exists\n", req.index);
- kfree(newmembers);
- res = -EBUSY;
- goto unlock_and_return_res;
- }
- pool->first_ip = req.addr;
- pool->last_ip = req.addr2;
- pool->nr_use = 0;
- pool->nr_match = 0;
- pool->members = newmembers;
- write_unlock_bh(&pool->lock);
- return 0;
- case IP_POOL_ADD_ADDR:
- DP("ip_pool ADD_ADDR 0x%08x\n", req.addr);
- req.addr = pool_change(req.index, ntohl(req.addr), 0);
- return copy_to_user(user, &req, sizeof(req));
- case IP_POOL_DEL_ADDR:
- DP("ip_pool DEL_ADDR 0x%08x\n", req.addr);
- req.addr = pool_change(req.index, ntohl(req.addr), 1);
- return copy_to_user(user, &req, sizeof(req));
- default:
- DP("ip_pool:getpool bad op %d\n", req.op);
- return -EINVAL;
- }
- return -EINVAL;
-
-unlock_and_return_res:
- if (pool)
- read_unlock_bh(&pool->lock);
- return res;
-}
-
-static struct nf_sockopt_ops so_pool
-= { { NULL, NULL }, PF_INET,
- SO_IP_POOL, SO_IP_POOL+1, &setpool,
- SO_IP_POOL, SO_IP_POOL+1, &getpool,
- 0, NULL };
-
-MODULE_PARM(nr_pool, "i");
-
-static int __init init(void)
-{
- ip_pool_t i;
- int res;
-
- if (nr_pool < 1) {
- printk("ip_pool module init: bad nr_pool %d\n", nr_pool);
- return -EINVAL;
- }
- POOL = kmalloc(nr_pool * sizeof(*POOL), GFP_KERNEL);
- if (!POOL) {
- printk("ip_pool module init: out of memory for nr_pool %d\n",
- nr_pool);
- return -ENOMEM;
- }
- for (i=0; i<nr_pool; i++) {
- POOL[i].first_ip = 0;
- POOL[i].last_ip = 0;
- POOL[i].members = 0;
- POOL[i].nr_use = 0;
- POOL[i].nr_match = 0;
- POOL[i].lock = RW_LOCK_UNLOCKED;
- }
- res = nf_register_sockopt(&so_pool);
- DP("ip_pool:init %d pools, result %d\n", nr_pool, res);
- if (res != 0) {
- kfree(POOL);
- POOL = 0;
- }
- return res;
-}
-
-static void __exit fini(void)
-{
- ip_pool_t i;
-
- DP("ip_pool:fini BYEBYE\n");
- nf_unregister_sockopt(&so_pool);
- for (i=0; i<nr_pool; i++) {
- if (POOL[i].members) {
- kfree(POOL[i].members);
- POOL[i].members = 0;
- }
- }
- kfree(POOL);
- POOL = 0;
- DP("ip_pool:fini these are the famous last words\n");
- return;
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_tables.c src/linux/linux.stock/net/ipv4/netfilter/ip_tables.c
--- src/linux/linux/net/ipv4/netfilter/ip_tables.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ip_tables.c 2004-05-09 04:13:03.000000000 -0400
@@ -62,6 +62,11 @@
#include <linux/netfilter_ipv4/lockhelp.h>
#include <linux/netfilter_ipv4/listhelp.h>
+#if 0
+/* All the better to debug you with... */
+#define static
+#define inline
+#endif
/* Locking is simple: we assume at worst case there will be one packet
in user context and one from bottom halves (or soft irq if Alexey's
@@ -83,6 +88,7 @@
{
/* Size per table */
unsigned int size;
+ /* Number of entries: FIXME. --RR */
unsigned int number;
/* Initial number of entries. Needed for module usage count */
unsigned int initial_entries;
@@ -106,6 +112,11 @@
#define TABLE_OFFSET(t,p) 0
#endif
+#if 0
+#define down(x) do { printk("DOWN:%u:" #x "\n", __LINE__); down(x); } while(0)
+#define down_interruptible(x) ({ int __r; printk("DOWNi:%u:" #x "\n", __LINE__); __r = down_interruptible(x); if (__r != 0) printk("ABORT-DOWNi:%u\n", __LINE__); __r; })
+#define up(x) do { printk("UP:%u:" #x "\n", __LINE__); up(x); } while(0)
+#endif
/* Returns whether matches rule or not. */
static inline int
@@ -408,6 +419,12 @@
{
void *ret;
+#if 0
+ duprintf("find_inlist: searching for `%s' in %s.\n",
+ name, head == &ipt_target ? "ipt_target"
+ : head == &ipt_match ? "ipt_match"
+ : head == &ipt_tables ? "ipt_tables" : "UNKNOWN");
+#endif
*error = down_interruptible(mutex);
if (*error != 0)
@@ -745,6 +762,8 @@
newinfo->underflow[h] = underflows[h];
}
+ /* FIXME: underflows must be unconditional, standard verdicts
+ < 0 (not IPT_RETURN). --RR */
/* Clear counters and comefrom */
e->counters = ((struct ipt_counters) { 0, 0 });
@@ -957,6 +976,7 @@
goto free_counters;
}
+ /* FIXME: use iterator macros --RR */
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
@@ -1134,6 +1154,14 @@
const struct ipt_counters addme[],
unsigned int *i)
{
+#if 0
+ duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
+ *i,
+ (long unsigned int)e->counters.pcnt,
+ (long unsigned int)e->counters.bcnt,
+ (long unsigned int)addme[*i].pcnt,
+ (long unsigned int)addme[*i].bcnt);
+#endif
ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
@@ -1495,6 +1523,7 @@
return 0;
}
+ /* FIXME: Try tcp doff >> packet len against various stacks --RR */
#define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg))
@@ -1670,15 +1699,14 @@
= { { NULL, NULL }, "icmp", &icmp_match, &icmp_checkentry, NULL };
#ifdef CONFIG_PROC_FS
-static inline int print_name(const char *i,
+static inline int print_name(const struct ipt_table *t,
off_t start_offset, char *buffer, int length,
off_t *pos, unsigned int *count)
{
if ((*count)++ >= start_offset) {
unsigned int namelen;
- namelen = sprintf(buffer + *pos, "%s\n",
- i + sizeof(struct list_head));
+ namelen = sprintf(buffer + *pos, "%s\n", t->name);
if (*pos + namelen > length) {
/* Stop iterating */
return 1;
@@ -1696,7 +1724,7 @@
if (down_interruptible(&ipt_mutex) != 0)
return 0;
- LIST_FIND(&ipt_tables, print_name, void *,
+ LIST_FIND(&ipt_tables, print_name, struct ipt_table *,
offset, buffer, length, &pos, &count);
up(&ipt_mutex);
@@ -1705,46 +1733,6 @@
*start=(char *)((unsigned long)count-offset);
return pos;
}
-
-static int ipt_get_targets(char *buffer, char **start, off_t offset, int length)
-{
- off_t pos = 0;
- unsigned int count = 0;
-
- if (down_interruptible(&ipt_mutex) != 0)
- return 0;
-
- LIST_FIND(&ipt_target, print_name, void *,
- offset, buffer, length, &pos, &count);
-
- up(&ipt_mutex);
-
- *start = (char *)((unsigned long)count - offset);
- return pos;
-}
-
-static int ipt_get_matches(char *buffer, char **start, off_t offset, int length)
-{
- off_t pos = 0;
- unsigned int count = 0;
-
- if (down_interruptible(&ipt_mutex) != 0)
- return 0;
-
- LIST_FIND(&ipt_match, print_name, void *,
- offset, buffer, length, &pos, &count);
-
- up(&ipt_mutex);
-
- *start = (char *)((unsigned long)count - offset);
- return pos;
-}
-
-static struct { char *name; get_info_t *get_info; } ipt_proc_entry[] =
-{ { "ip_tables_names", ipt_get_tables },
- { "ip_tables_targets", ipt_get_targets },
- { "ip_tables_matches", ipt_get_matches },
- { NULL, NULL} };
#endif /*CONFIG_PROC_FS*/
static int __init init(void)
@@ -1770,20 +1758,14 @@
#ifdef CONFIG_PROC_FS
{
struct proc_dir_entry *proc;
- int i;
- for (i = 0; ipt_proc_entry[i].name; i++) {
- proc = proc_net_create(ipt_proc_entry[i].name, 0,
- ipt_proc_entry[i].get_info);
+ proc = proc_net_create("ip_tables_names", 0, ipt_get_tables);
if (!proc) {
- while (--i >= 0)
- proc_net_remove(ipt_proc_entry[i].name);
nf_unregister_sockopt(&ipt_sockopts);
return -ENOMEM;
}
proc->owner = THIS_MODULE;
}
- }
#endif
printk("ip_tables: (C) 2000-2002 Netfilter core team\n");
@@ -1794,11 +1776,7 @@
{
nf_unregister_sockopt(&ipt_sockopts);
#ifdef CONFIG_PROC_FS
- {
- int i;
- for (i = 0; ipt_proc_entry[i].name; i++)
- proc_net_remove(ipt_proc_entry[i].name);
- }
+ proc_net_remove("ip_tables_names");
#endif
}
diff -Nurb src/linux/linux/net/ipv4/netfilter/ipchains_core.c src/linux/linux.stock/net/ipv4/netfilter/ipchains_core.c
--- src/linux/linux/net/ipv4/netfilter/ipchains_core.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ipchains_core.c 2004-05-09 04:13:03.000000000 -0400
@@ -977,10 +977,17 @@
|| ftmp->ipfw.fw_dst.s_addr!=frwl->ipfw.fw_dst.s_addr
|| ftmp->ipfw.fw_smsk.s_addr!=frwl->ipfw.fw_smsk.s_addr
|| ftmp->ipfw.fw_dmsk.s_addr!=frwl->ipfw.fw_dmsk.s_addr
+#if 0
+ || ftmp->ipfw.fw_flg!=frwl->ipfw.fw_flg
+#else
|| ((ftmp->ipfw.fw_flg & ~IP_FW_F_MARKABS)
!= (frwl->ipfw.fw_flg & ~IP_FW_F_MARKABS))
+#endif
|| ftmp->ipfw.fw_invflg!=frwl->ipfw.fw_invflg
|| ftmp->ipfw.fw_proto!=frwl->ipfw.fw_proto
+#if 0
+ || ftmp->ipfw.fw_mark!=frwl->ipfw.fw_mark
+#endif
|| ftmp->ipfw.fw_redirpt!=frwl->ipfw.fw_redirpt
|| ftmp->ipfw.fw_spts[0]!=frwl->ipfw.fw_spts[0]
|| ftmp->ipfw.fw_spts[1]!=frwl->ipfw.fw_spts[1]
@@ -1566,6 +1573,7 @@
)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
+ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
int reset = 0;
#endif
struct ip_chain *i;
diff -Nurb src/linux/linux/net/ipv4/netfilter/ipfwadm_core.c src/linux/linux.stock/net/ipv4/netfilter/ipfwadm_core.c
--- src/linux/linux/net/ipv4/netfilter/ipfwadm_core.c 2003-10-14 04:09:33.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ipfwadm_core.c 2004-05-09 04:13:03.000000000 -0400
@@ -20,7 +20,7 @@
* license in recognition of the original copyright.
* -- Alan Cox.
*
- * $Id: ipfwadm_core.c,v 1.1.1.4 2003/10/14 08:09:33 sparq Exp $
+ * $Id: ipfwadm_core.c,v 1.9.2.2 2002/01/24 15:50:42 davem Exp $
*
* Ported from BSD to Linux,
* Alan Cox 22/Nov/1994.
@@ -1205,6 +1205,7 @@
)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
+ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
int reset = 0;
#endif
return ip_chain_procinfo(IP_FW_ACCT, buffer,start, offset,length,
@@ -1223,6 +1224,7 @@
)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
+ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
int reset = 0;
#endif
return ip_chain_procinfo(IP_FW_IN, buffer,start,offset,length,
@@ -1237,6 +1239,7 @@
)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
+ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
int reset = 0;
#endif
return ip_chain_procinfo(IP_FW_OUT, buffer,start,offset,length,
@@ -1251,6 +1254,7 @@
)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
+ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
int reset = 0;
#endif
return ip_chain_procinfo(IP_FW_FWD, buffer,start,offset,length,
diff -Nurb src/linux/linux/net/ipv4/netfilter/ipt_ECN.c src/linux/linux.stock/net/ipv4/netfilter/ipt_ECN.c
--- src/linux/linux/net/ipv4/netfilter/ipt_ECN.c 2003-10-14 04:02:57.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ipt_ECN.c 2004-05-09 04:13:03.000000000 -0400
@@ -87,8 +87,8 @@
}
if (diffs[0] != *tcpflags) {
- diffs[0] = diffs[0] ^ 0xFFFF;
- diffs[1] = *tcpflags;
+ diffs[0] = htons(diffs[0]) ^ 0xFFFF;
+ diffs[1] = htons(*tcpflags);
tcph->check = csum_fold(csum_partial((char *)diffs,
sizeof(diffs),
tcph->check^0xFFFF));
diff -Nurb src/linux/linux/net/ipv4/netfilter/ipt_LOG.c src/linux/linux.stock/net/ipv4/netfilter/ipt_LOG.c
--- src/linux/linux/net/ipv4/netfilter/ipt_LOG.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ipt_LOG.c 2004-05-09 04:13:03.000000000 -0400
@@ -14,11 +14,15 @@
#include <net/route.h>
#include <linux/netfilter_ipv4/ipt_LOG.h>
+#if 0
+#define DEBUGP printk
+#else
#define DEBUGP(format, args...)
+#endif
struct esphdr {
__u32 spi;
-};
+}; /* FIXME evil kludge */
/* Use lock to serialize, so printks don't overlap */
static spinlock_t log_lock = SPIN_LOCK_UNLOCKED;
diff -Nurb src/linux/linux/net/ipv4/netfilter/ipt_REJECT.c src/linux/linux.stock/net/ipv4/netfilter/ipt_REJECT.c
--- src/linux/linux/net/ipv4/netfilter/ipt_REJECT.c 2003-07-04 04:12:31.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ipt_REJECT.c 2004-05-09 04:13:03.000000000 -0400
@@ -6,8 +6,6 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
-#include <linux/udp.h>
-#include <linux/icmp.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/tcp.h>
@@ -16,7 +14,11 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#if 0
+#define DEBUGP printk
+#else
#define DEBUGP(format, args...)
+#endif
/* If the original packet is part of a connection, but the connection
is not confirmed, our manufactured reply will not be associated
@@ -155,7 +157,6 @@
static void send_unreach(struct sk_buff *skb_in, int code)
{
struct iphdr *iph;
- struct udphdr *udph;
struct icmphdr *icmph;
struct sk_buff *nskb;
u32 saddr;
@@ -167,6 +168,7 @@
if (!rt)
return;
+ /* FIXME: Use sysctl number. --RR */
if (!xrlim_allow(&rt->u.dst, 1*HZ))
return;
@@ -184,19 +186,6 @@
if (iph->frag_off&htons(IP_OFFSET))
return;
- /* if UDP checksum is set, verify it's correct */
- if (iph->protocol == IPPROTO_UDP
- && skb_in->tail-(u8*)iph >= sizeof(struct udphdr)) {
- int datalen = skb_in->len - (iph->ihl<<2);
- udph = (struct udphdr *)((char *)iph + (iph->ihl<<2));
- if (udph->check
- && csum_tcpudp_magic(iph->saddr, iph->daddr,
- datalen, IPPROTO_UDP,
- csum_partial((char *)udph, datalen,
- 0)) != 0)
- return;
- }
-
/* If we send an ICMP error to an ICMP error a mess would result.. */
if (iph->protocol == IPPROTO_ICMP
&& skb_in->tail-(u8*)iph >= sizeof(struct icmphdr)) {
@@ -271,6 +260,7 @@
/* Copy as much of original packet as will fit */
data = skb_put(nskb,
length - sizeof(struct iphdr) - sizeof(struct icmphdr));
+ /* FIXME: won't work with nonlinear skbs --RR */
memcpy(data, skb_in->nh.iph,
length - sizeof(struct iphdr) - sizeof(struct icmphdr));
icmph->checksum = ip_compute_csum((unsigned char *)icmph,
diff -Nurb src/linux/linux/net/ipv4/netfilter/ipt_ULOG.c src/linux/linux.stock/net/ipv4/netfilter/ipt_ULOG.c
--- src/linux/linux/net/ipv4/netfilter/ipt_ULOG.c 2003-07-04 04:12:32.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ipt_ULOG.c 2004-05-09 04:13:03.000000000 -0400
@@ -12,7 +12,6 @@
* module loadtime -HW
* 2002/07/07 remove broken nflog_rcv() function -HW
* 2002/08/29 fix shifted/unshifted nlgroup bug -HW
- * 2002/10/30 fix uninitialized mac_len field - <Anders K. Pedersen>
*
* Released under the terms of the GPL
*
@@ -32,7 +31,7 @@
* Specify, after how many clock ticks (intel: 100 per second) the queue
* should be flushed even if it is not full yet.
*
- * ipt_ULOG.c,v 1.22 2002/10/30 09:07:31 laforge Exp
+ * ipt_ULOG.c,v 1.21 2002/08/29 10:54:34 laforge Exp
*/
#include <linux/module.h>
@@ -60,7 +59,12 @@
#define ULOG_NL_EVENT 111 /* Harald's favorite number */
#define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */
+#if 0
+#define DEBUGP(format, args...) printk(__FILE__ ":" __FUNCTION__ ":" \
+ format, ## args)
+#else
#define DEBUGP(format, args...)
+#endif
#define PRINTR(format, args...) do { if (net_ratelimit()) printk(format, ## args); } while (0)
@@ -220,8 +224,7 @@
&& in->hard_header_len <= ULOG_MAC_LEN) {
memcpy(pm->mac, (*pskb)->mac.raw, in->hard_header_len);
pm->mac_len = in->hard_header_len;
- } else
- pm->mac_len = 0;
+ }
if (in)
strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
diff -Nurb src/linux/linux/net/ipv4/netfilter/ipt_multiport.c src/linux/linux.stock/net/ipv4/netfilter/ipt_multiport.c
--- src/linux/linux/net/ipv4/netfilter/ipt_multiport.c 2003-07-04 04:12:32.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ipt_multiport.c 2004-05-09 04:13:03.000000000 -0400
@@ -8,7 +8,11 @@
#include <linux/netfilter_ipv4/ipt_multiport.h>
#include <linux/netfilter_ipv4/ip_tables.h>
+#if 0
+#define duprintf(format, args...) printk(format , ## args)
+#else
#define duprintf(format, args...)
+#endif
/* Returns 1 if the port is matched by the test, 0 otherwise. */
static inline int
@@ -74,7 +78,7 @@
/* Must specify proto == TCP/UDP, no unknown flags or bad count */
return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP)
- && !(ip->invflags & IPT_INV_PROTO)
+ && !(ip->flags & IPT_INV_PROTO)
&& matchsize == IPT_ALIGN(sizeof(struct ipt_multiport))
&& (multiinfo->flags == IPT_MULTIPORT_SOURCE
|| multiinfo->flags == IPT_MULTIPORT_DESTINATION
diff -Nurb src/linux/linux/net/ipv4/netfilter/ipt_pool.c src/linux/linux.stock/net/ipv4/netfilter/ipt_pool.c
--- src/linux/linux/net/ipv4/netfilter/ipt_pool.c 2003-07-04 04:12:32.000000000 -0400
+++ src/linux/linux.stock/net/ipv4/netfilter/ipt_pool.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,71 +0,0 @@
-/* Kernel module to match an IP address pool. */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_pool.h>
-#include <linux/netfilter_ipv4/ipt_pool.h>
-
-static inline int match_pool(
- ip_pool_t index,
- __u32 addr,
- int inv
-) {
- if (ip_pool_match(index, ntohl(addr)))
- inv = !inv;
- return inv;
-}
-
-static int match(
- const struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- const void *matchinfo,
- int offset,
- const void *hdr,
- u_int16_t datalen,
- int *hotdrop
-) {
- const struct ipt_pool_info *info = matchinfo;
- const struct iphdr *iph = skb->nh.iph;
-
- if (info->src != IP_POOL_NONE && !match_pool(info->src, iph->saddr,
- info->flags&IPT_POOL_INV_SRC))
- return 0;
-
- if (info->dst != IP_POOL_NONE && !match_pool(info->dst, iph->daddr,
- info->flags&IPT_POOL_INV_DST))
- return 0;
-
- return 1;
-}
-
-static int checkentry(
- const char *tablename,
- const struct ipt_ip *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask
-) {
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_pool_info)))
- return 0;
- return 1;
-}
-
-static struct ipt_match pool_match
-= { { NULL, NULL }, "pool", &match, &checkentry, NULL, THIS_MODULE };
-
-static int __init init(void)
-{
- return ipt_register_match(&pool_match);
-}
-
-static void __exit fini(void)
-{
- ipt_unregister_match(&pool_match);
-}
-
-module_init(init);
-module_exit(fini);
diff -Nurb src/linux/linux/net/ipv6/mcast.c src/linux/linux.stock/net/ipv6/mcast.c
--- src/linux/linux/net/ipv6/mcast.c 2003-10-14 04:09:34.000000000 -0400
+++ src/linux/linux.stock/net/ipv6/mcast.c 2004-05-09 04:13:22.000000000 -0400
@@ -5,7 +5,7 @@
* Authors:
* Pedro Roque <roque@di.fc.ul.pt>
*
- * $Id: mcast.c,v 1.1.1.4 2003/10/14 08:09:34 sparq Exp $
+ * $Id: mcast.c,v 1.38 2001/08/15 07:36:31 davem Exp $
*
* Based on linux/ipv4/igmp.c and linux/ipv4/ip_sockglue.c
*