diff options
author | kaloz <kaloz@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2008-12-01 20:27:46 +0000 |
---|---|---|
committer | kaloz <kaloz@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2008-12-01 20:27:46 +0000 |
commit | e54be17dce4b377a5c98e9336fa8401eb38b2989 (patch) | |
tree | f73415d0bc198884dfc8c4fc88b17f4d0c76d9c2 /package/iptables/patches | |
parent | 4a74c7b9a1fea49d675f8127e62af386ccbec94e (diff) |
upgrade iptables to 1.4.1.1, needed for proper 2.6.27 support
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@13458 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/iptables/patches')
-rw-r--r-- | package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch | 43 | ||||
-rw-r--r-- | package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch | 279 | ||||
-rw-r--r-- | package/iptables/patches/1.4.1.1/001-ipp2p-0.8.1rc1.patch (renamed from package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch) | 187 | ||||
-rw-r--r-- | package/iptables/patches/1.4.1.1/002-layer7_2.17.patch (renamed from package/iptables/patches/1.4.0/002-layer7_2.17.patch) | 110 | ||||
-rw-r--r-- | package/iptables/patches/1.4.1.1/005-imq1.patch (renamed from package/iptables/patches/1.4.0/005-imq1.patch) | 137 | ||||
-rw-r--r-- | package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch (renamed from package/iptables/patches/1.4.0/006-chaostables_0.8.patch) | 10 | ||||
-rw-r--r-- | package/iptables/patches/1.4.1.1/007-tarpit_support.patch (renamed from package/iptables/patches/1.4.0/007-tarpit_support.patch) | 2 |
7 files changed, 212 insertions, 556 deletions
diff --git a/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch b/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch deleted file mode 100644 index dd6efc15d..000000000 --- a/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch +++ /dev/null @@ -1,43 +0,0 @@ -Index: iptables-1.4.0/extensions/libipt_layer7.c -=================================================================== ---- iptables-1.4.0.orig/extensions/libipt_layer7.c -+++ iptables-1.4.0/extensions/libipt_layer7.c -@@ -43,7 +43,8 @@ static void help(void) - "LAYER7 match v%s options:\n" - "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n" - " (--l7dir must be specified before --l7proto if used!)\n" -- "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n", -+ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n" -+ "--l7pkt : Skip connection tracking and match individual packets\n", - IPTABLES_VERSION); - fputc('\n', stdout); - } -@@ -51,6 +52,7 @@ static void help(void) - static struct option opts[] = { - { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, - { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, -+ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' }, - { .name = 0 } - }; - -@@ -339,6 +341,10 @@ static int parse(int c, char **argv, int - *flags = 1; - break; - -+ case '3': -+ layer7info->pkt = 1; -+ break; -+ - default: - return 0; - } -@@ -370,6 +376,9 @@ static void print(const void *ip, - - print_protocol(((struct xt_layer7_info *)match->data)->protocol, - ((struct xt_layer7_info *)match->data)->invert, numeric); -+ -+ if (((struct xt_layer7_info *)match->data)->pkt) -+ printf("l7pkt "); - } - /* Saves the union ipt_matchinfo in parsable form to stdout. */ - static void save(const void *ip, const struct xt_entry_match *match) diff --git a/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch b/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch deleted file mode 100644 index 0f6e01b19..000000000 --- a/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch +++ /dev/null @@ -1,279 +0,0 @@ -Index: iptables-1.4.0/extensions/libxt_multiport.c -=================================================================== ---- iptables-1.4.0.orig/extensions/libxt_multiport.c -+++ iptables-1.4.0/extensions/libxt_multiport.c -@@ -12,22 +12,6 @@ - #include "../include/linux/netfilter/xt_multiport.h" - - /* Function which prints out usage message. */ --static void multiport_help(void) --{ -- printf( --"multiport v%s options:\n" --" --source-ports port[,port,port...]\n" --" --sports ...\n" --" match source port(s)\n" --" --destination-ports port[,port,port...]\n" --" --dports ...\n" --" match destination port(s)\n" --" --ports port[,port,port]\n" --" match both source and destination port(s)\n" --" NOTE: this kernel does not support port ranges in multiport.\n", --IPTABLES_VERSION); --} -- - static void multiport_help_v1(void) - { - printf( -@@ -71,26 +55,6 @@ proto_to_name(u_int8_t proto) - } - } - --static unsigned int --parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) --{ -- char *buffer, *cp, *next; -- unsigned int i; -- -- buffer = strdup(portstring); -- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); -- -- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++) -- { -- next=strchr(cp, ','); -- if (next) *next++='\0'; -- ports[i] = parse_port(cp, proto); -- } -- if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified"); -- free(buffer); -- return i; --} -- - static void - parse_multi_ports_v1(const char *portstring, - struct xt_multiport_v1 *multiinfo, -@@ -154,73 +118,6 @@ check_proto(u_int16_t pnum, u_int8_t inv - /* Function which parses command options; returns true if it - ate an option */ - static int --__multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- struct xt_entry_match **match, u_int16_t pnum, -- u_int8_t invflags) --{ -- const char *proto; -- struct xt_multiport *multiinfo -- = (struct xt_multiport *)(*match)->data; -- -- switch (c) { -- case '1': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_SOURCE; -- break; -- -- case '2': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_DESTINATION; -- break; -- -- case '3': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(pnum, invflags); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = XT_MULTIPORT_EITHER; -- break; -- -- default: -- return 0; -- } -- -- if (invert) -- exit_error(PARAMETER_PROBLEM, -- "multiport does not support invert"); -- -- if (*flags) -- exit_error(PARAMETER_PROBLEM, -- "multiport can only have one option"); -- *flags = 1; -- return 1; --} -- --static int --multiport_parse(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ipt_entry *entry = e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ip.proto, entry->ip.invflags); --} -- --static int --multiport_parse6(int c, char **argv, int invert, unsigned int *flags, -- const void *e, struct xt_entry_match **match) --{ -- const struct ip6t_entry *entry = (const struct ip6t_entry *)e; -- return __multiport_parse(c, argv, invert, flags, match, -- entry->ipv6.proto, entry->ipv6.invflags); --} -- --static int - __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags, - struct xt_entry_match **match, u_int16_t pnum, - u_int8_t invflags) -@@ -313,55 +210,6 @@ print_port(u_int16_t port, u_int8_t prot - } - - /* Prints out the matchinfo. */ --static void --__multiport_print(const struct xt_entry_match *match, int numeric, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- printf("multiport "); -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("ports "); -- break; -- -- default: -- printf("ERROR "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, numeric); -- } -- printf(" "); --} -- --static void multiport_print(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- --static void multiport_print6(const void *ip_void, -- const struct xt_entry_match *match, int numeric) --{ -- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void; -- __multiport_print(match, numeric, ip->proto); --} -- - static void __multiport_print_v1(const struct xt_entry_match *match, - int numeric, u_int16_t proto) - { -@@ -418,48 +266,6 @@ static void multiport_print6_v1(const vo - } - - /* Saves the union ipt_matchinfo in parsable form to stdout. */ --static void __multiport_save(const struct xt_entry_match *match, -- u_int16_t proto) --{ -- const struct xt_multiport *multiinfo -- = (const struct xt_multiport *)match->data; -- unsigned int i; -- -- switch (multiinfo->flags) { -- case XT_MULTIPORT_SOURCE: -- printf("--sports "); -- break; -- -- case XT_MULTIPORT_DESTINATION: -- printf("--dports "); -- break; -- -- case XT_MULTIPORT_EITHER: -- printf("--ports "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], proto, 1); -- } -- printf(" "); --} -- --static void multiport_save(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ipt_ip *ip = ip_void; -- __multiport_save(match, ip->proto); --} -- --static void multiport_save6(const void *ip_void, -- const struct xt_entry_match *match) --{ -- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void; -- __multiport_save(match, ip->proto); --} -- - static void __multiport_save_v1(const struct xt_entry_match *match, - u_int16_t proto) - { -@@ -509,36 +315,6 @@ static void multiport_save6_v1(const voi - __multiport_save_v1(match, ip->proto); - } - --static struct xtables_match multiport_match = { -- .family = AF_INET, -- .name = "multiport", -- .revision = 0, -- .version = IPTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse, -- .final_check = multiport_check, -- .print = multiport_print, -- .save = multiport_save, -- .extra_opts = multiport_opts, --}; -- --static struct xtables_match multiport_match6 = { -- .family = AF_INET6, -- .name = "multiport", -- .revision = 0, -- .version = IPTABLES_VERSION, -- .size = XT_ALIGN(sizeof(struct xt_multiport)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), -- .help = multiport_help, -- .parse = multiport_parse6, -- .final_check = multiport_check, -- .print = multiport_print6, -- .save = multiport_save6, -- .extra_opts = multiport_opts, --}; -- - static struct xtables_match multiport_match_v1 = { - .family = AF_INET, - .name = "multiport", -@@ -572,8 +348,6 @@ static struct xtables_match multiport_ma - void - _init(void) - { -- xtables_register_match(&multiport_match); -- xtables_register_match(&multiport_match6); - xtables_register_match(&multiport_match_v1); - xtables_register_match(&multiport_match6_v1); - } diff --git a/package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch b/package/iptables/patches/1.4.1.1/001-ipp2p-0.8.1rc1.patch index 3b32b948b..e3e92bdd2 100644 --- a/package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch +++ b/package/iptables/patches/1.4.1.1/001-ipp2p-0.8.1rc1.patch @@ -1,24 +1,13 @@ -Index: iptables-1.4.0/extensions/Makefile -=================================================================== ---- iptables-1.4.0.orig/extensions/Makefile -+++ iptables-1.4.0/extensions/Makefile -@@ -19,6 +19,10 @@ PF6_EXT_SE_SLIB:=$(PF6_EXT_SELINUX_SLIB) - PFX_EXT_SE_SLIB:=$(PFX_EXT_SELINUX_SLIB) - endif - -+ -+# ipp2p -+PF_EXT_SLIB += ipp2p -+ - # Optionals - PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) - PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) -Index: iptables-1.4.0/extensions/libipt_ipp2p.c -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libipt_ipp2p.c -@@ -0,0 +1,398 @@ -+ +diff -Nur iptables-1.4.1.1/extensions/.ipp2p-test iptables-1.4.1.1-owrt/extensions/.ipp2p-test +--- iptables-1.4.1.1/extensions/.ipp2p-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.4.1.1-owrt/extensions/.ipp2p-test 2008-10-10 00:10:50.000000000 +0200 +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipp2p.h ] && echo ipp2p +diff -Nur iptables-1.4.1.1/extensions/libipt_ipp2p.c iptables-1.4.1.1-owrt/extensions/libipt_ipp2p.c +--- iptables-1.4.1.1/extensions/libipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.4.1.1-owrt/extensions/libipt_ipp2p.c 2008-10-10 00:10:50.000000000 +0200 +@@ -0,0 +1,424 @@ +#include <stdio.h> +#include <netdb.h> +#include <string.h> @@ -30,6 +19,15 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c + +#include <linux/netfilter_ipv4/ipt_ipp2p.h> + ++#ifndef XTABLES_VERSION ++#define XTABLES_VERSION IPTABLES_VERSION ++#endif ++ ++#ifdef IPT_LIB_DIR ++#define xtables_target iptables_target ++#define xtables_register_target register_target ++#endif ++ +static void +help(void) +{ @@ -81,24 +79,34 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c + {0} +}; + -+ + +static void ++#ifdef _XTABLES_H +init(struct xt_entry_match *m) ++#else ++init(struct ipt_entry_match *t, unsigned int *nfcache) ++#endif +{ + struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; + ++#ifndef _XTABLES_H ++ *nfcache |= NFC_UNKNOWN; ++#endif ++ + /*init the module with default values*/ + info->cmd = 0; + info->debug = 0; + +} -+ ++ + +static int +parse(int c, char **argv, int invert, unsigned int *flags, -+ const void *entry, -+ struct xt_entry_match **match) ++#ifdef _XTABLES_H ++ const void *entry, struct xt_entry_match **match) ++#else ++ const struct ipt_entry *entry, unsigned int *nfcache, struct ipt_entry_match **match) ++#endif +{ + struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; + @@ -108,10 +116,13 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c + exit_error(PARAMETER_PROBLEM, + "ipp2p: `--ipp2p' may only be " + "specified once!"); ++ +/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) + exit_error(PARAMETER_PROBLEM, + "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ ++ "specified alone!"); ++*/ ++ + if ((*flags) != 0) + exit_error(PARAMETER_PROBLEM, + "ipp2p: `--ipp2p' may only be " @@ -329,11 +340,14 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c + "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); +} + -+ -+ +static void ++#ifdef _XTABLES_H +print(const void *ip, -+ const struct xt_entry_match *match, ++ const struct xt_entry_match *match, ++#else ++print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++#endif + int numeric) +{ + struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; @@ -360,11 +374,15 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c + if (info->debug != 0) printf(" --debug"); + printf(" "); +} -+ -+ + +static void -+save(const void *ip, const struct xt_entry_match *match) ++#ifdef _XTABLES_H ++save(const void *ip, ++ const struct xt_entry_match *match) ++#else ++save(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match) ++#endif +{ + struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; + @@ -390,22 +408,20 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c +} + + -+ -+ +static -+struct iptables_match ipp2p= ++struct xtables_match ipp2p= +{ -+ .family = AF_INET, ++ .next = NULL, + .name = "ipp2p", -+ .version = IPTABLES_VERSION, ++ .version = XTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), + .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), -+ .help = help, -+ .init = init, -+ .parse = parse, -+ .final_check = final_check, -+ .print = print, -+ .save = save, ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, + .extra_opts = opts +}; + @@ -413,42 +429,53 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c + +void _init(void) +{ -+ register_match(&ipp2p); ++ xtables_register_match(&ipp2p); +} + -Index: iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h -=================================================================== ---- /dev/null -+++ iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h -@@ -0,0 +1,31 @@ -+#ifndef __IPT_IPP2P_H -+#define __IPT_IPP2P_H -+#define IPP2P_VERSION "0.8.1_rc1" -+ -+struct ipt_p2p_info { -+ int cmd; -+ int debug; -+}; -+ -+#endif //__IPT_IPP2P_H -+ -+#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ -+//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ -+#define SHORT_HAND_NONE 5 /* no short hand*/ -+ -+#define IPP2P_EDK (1 << 1) -+#define IPP2P_DATA_KAZAA (1 << 2) -+#define IPP2P_DATA_EDK (1 << 3) -+#define IPP2P_DATA_DC (1 << 4) -+#define IPP2P_DC (1 << 5) -+#define IPP2P_DATA_GNU (1 << 6) -+#define IPP2P_GNU (1 << 7) -+#define IPP2P_KAZAA (1 << 8) -+#define IPP2P_BIT (1 << 9) -+#define IPP2P_APPLE (1 << 10) -+#define IPP2P_SOUL (1 << 11) -+#define IPP2P_WINMX (1 << 12) -+#define IPP2P_ARES (1 << 13) -+#define IPP2P_MUTE (1 << 14) -+#define IPP2P_WASTE (1 << 15) -+#define IPP2P_XDCC (1 << 16) +diff -Nur iptables-1.4.1.1/extensions/libipt_ipp2p.man iptables-1.4.1.1-owrt/extensions/libipt_ipp2p.man +--- iptables-1.4.1.1/extensions/libipt_ipp2p.man 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.4.1.1-owrt/extensions/libipt_ipp2p.man 2008-10-10 00:10:50.000000000 +0200 +@@ -0,0 +1,43 @@ ++This module matches certain packets in P2P flows. It is not ++designed to match all packets belonging to a P2P connection - ++use IPP2P together with CONNMARK for this purpose. Also visit ++http://www.ipp2p.org for detailed information. ++ ++Use it together with -p tcp or -p udp to search these protocols ++only or without -p switch to search packets of both protocols. ++ ++IPP2P provides the following options: ++.TP ++.B "--edk " ++Matches as many eDonkey/eMule packets as possible. ++.TP ++.B "--kazaa " ++Matches as many KaZaA packets as possible. ++.TP ++.B "--gnu " ++Matches as many Gnutella packets as possible. ++.TP ++.B "--dc " ++Matches as many Direct Connect packets as possible. ++.TP ++.B "--bit " ++Matches BitTorrent packets. ++.TP ++.B "--apple " ++Matches AppleJuice packets. ++.TP ++.B "--soul " ++Matches some SoulSeek packets. Considered as beta, use careful! ++.TP ++.B "--winmx " ++Matches some WinMX packets. Considered as beta, use careful! ++.TP ++.B "--ares " ++Matches Ares and AresLite packets. Use together with -j DROP only. ++.TP ++.B "--ipp2p " ++Short hand for: --edk --kazaa --gnu --dc ++.TP ++.B "--debug " ++Prints some information about each hit into kernel logfile. May ++produce huge logfiles so beware! diff --git a/package/iptables/patches/1.4.0/002-layer7_2.17.patch b/package/iptables/patches/1.4.1.1/002-layer7_2.17.patch index ed19118b0..ac6b1a484 100644 --- a/package/iptables/patches/1.4.0/002-layer7_2.17.patch +++ b/package/iptables/patches/1.4.1.1/002-layer7_2.17.patch @@ -1,10 +1,11 @@ ---- iptables-1.4.0rc1/extensions/libipt_layer7.c 1969-12-31 18:00:00.000000000 -0600 -+++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.c 2007-11-19 06:06:56.000000000 -0600 -@@ -0,0 +1,393 @@ +diff -Nur iptables.old/extensions/libxt_layer7.c iptables.new/extensions/libxt_layer7.c +--- iptables.old/extensions/libxt_layer7.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.new/extensions/libxt_layer7.c 2008-08-22 16:00:52.000000000 +0200 +@@ -0,0 +1,368 @@ +/* -+ Shared library add-on to iptables to add layer 7 matching support. ++ Shared library add-on to iptables for layer 7 matching support. + -+ By Matthew Strait <quadong@users.sf.net>, Oct 2003. ++ By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008. + + http://l7-filter.sf.net + @@ -13,8 +14,6 @@ + as published by the Free Software Foundation; either version + 2 of the License, or (at your option) any later version. + http://www.gnu.org/licenses/gpl.txt -+ -+ Based on libipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be> +*/ + +#define _GNU_SOURCE @@ -26,7 +25,7 @@ +#include <ctype.h> +#include <dirent.h> + -+#include <iptables.h> ++#include <xtables.h> +#include <linux/netfilter/xt_layer7.h> + +#define MAX_FN_LEN 256 @@ -37,22 +36,20 @@ +static void help(void) +{ + printf( -+ "LAYER7 match v%s options:\n" -+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n" -+ " (--l7dir must be specified before --l7proto if used!)\n" -+ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n", -+ IPTABLES_VERSION); -+ fputc('\n', stdout); ++ "layer7 match options:\n" ++ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n" ++ " (--l7dir must be specified before --l7proto if used)\n" ++ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n"); +} + -+static struct option opts[] = { -+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, -+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, -+ { .name = 0 } ++static const struct option opts[] = { ++ { .name = "l7proto", .has_arg = 1, .val = 'p' }, ++ { .name = "l7dir", .has_arg = 1, .val = 'd' }, ++ { .name = NULL } +}; + +/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ -+int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info) ++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info) +{ + FILE * f; + char * line = NULL; @@ -123,12 +120,6 @@ + fclose(f); + + return 1; -+ -+/* -+ fprintf(stderr, "protocol: %s\npattern: %s\n\n", -+ info->protocol, -+ info->pattern); -+*/ +} + +static int hex2dec(char c) @@ -152,7 +143,7 @@ +static char * pre_process(char * s) +{ + char * result = malloc(strlen(s) + 1); -+ int sindex = 0, rindex = 0; ++ int sindex = 0, rrindex = 0; + while( sindex < strlen(s) ) + { + if( sindex + 3 < strlen(s) && @@ -160,10 +151,10 @@ + isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) + { + /* carefully remember to call tolower here... */ -+ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + ++ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 + + hex2dec(s[sindex + 3] ) ); + -+ switch ( result[rindex] ) ++ switch ( result[rrindex] ) + { + case 0x24: + case 0x28: @@ -180,7 +171,7 @@ + fprintf(stderr, + "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n" + "I recommend that you write this as %c or \\%c, depending on what you meant.\n", -+ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]); ++ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]); + break; + case 0x00: + fprintf(stderr, @@ -194,18 +185,18 @@ + sindex += 3; /* 4 total */ + } + else -+ result[rindex] = tolower(s[sindex]); ++ result[rrindex] = tolower(s[sindex]); + + sindex++; -+ rindex++; ++ rrindex++; + } -+ result[rindex] = '\0'; ++ result[rrindex] = '\0'; + + return result; +} + +#define MAX_SUBDIRS 128 -+char ** readl7dir(char * dirname) ++static char ** readl7dir(char * dirname) +{ + DIR * scratchdir; + struct dirent ** namelist; @@ -259,18 +250,15 @@ + return subdirs; +} + -+static void -+parse_layer7_protocol(const char *s, struct xt_layer7_info *info) ++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info) +{ + char filename[MAX_FN_LEN]; + char * dir = NULL; + char ** subdirs; + int n = 0, done = 0; + -+ if(strlen(l7dir) > 0) -+ dir = l7dir; -+ else -+ dir = "/etc/l7-protocols"; ++ if(strlen(l7dir) > 0) dir = l7dir; ++ else dir = "/etc/l7-protocols"; + + subdirs = readl7dir(dir); + @@ -278,24 +266,16 @@ + { + int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); + -+ //fprintf(stderr, "Trying to find pattern in %s ... ", filename); -+ + if(c > MAX_FN_LEN) -+ { + exit_error(OTHER_PROBLEM, + "Filename beginning with %s is too long!\n", filename); -+ } + + /* read in the pattern from the file */ -+ if(parse_protocol_file(filename, s, info)) -+ { -+ //fprintf(stderr, "found\n"); ++ if(parse_protocol_file(filename, s, info)){ + done = 1; + break; + } + -+ //fprintf(stderr, "not found\n"); -+ + n++; + } + @@ -316,18 +296,14 @@ + (struct xt_layer7_info *)(*match)->data; + + switch (c) { -+ case '1': -+ check_inverse(optarg, &invert, &optind, 0); ++ case 'p': + parse_layer7_protocol(argv[optind-1], layer7info); + if (invert) -+ layer7info->invert = 1; ++ layer7info->invert = true; + *flags = 1; + break; + -+ case '2': -+ /* not going to use this, but maybe we need to strip a ! anyway (?) */ -+ check_inverse(optarg, &invert, &optind, 0); -+ ++ case 'd': + if(strlen(argv[optind-1]) >= MAX_FN_LEN) + exit_error(PARAMETER_PROBLEM, "directory name too long\n"); + @@ -364,7 +340,6 @@ + int numeric) +{ + printf("LAYER7 "); -+ + print_protocol(((struct xt_layer7_info *)match->data)->protocol, + ((struct xt_layer7_info *)match->data)->invert, numeric); +} @@ -374,14 +349,15 @@ + const struct xt_layer7_info *info = + (const struct xt_layer7_info*) match->data; + -+ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol); ++ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol); +} + -+static struct iptables_match layer7 = { ++static struct xtables_match layer7 = { ++ .family = AF_INET, + .name = "layer7", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct xt_layer7_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct xt_layer7_info)), ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_layer7_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)), + .help = &help, + .parse = &parse, + .final_check = &final_check, @@ -392,10 +368,11 @@ + +void _init(void) +{ -+ register_match(&layer7); ++ xtables_register_match(&layer7); +} ---- iptables-1.4.0rc1/extensions/libipt_layer7.man 1969-12-31 18:00:00.000000000 -0600 -+++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.man 2007-11-19 05:49:46.000000000 -0600 +diff -Nur iptables.old/extensions/libxt_layer7.man iptables.new/extensions/libxt_layer7.man +--- iptables.old/extensions/libxt_layer7.man 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.new/extensions/libxt_layer7.man 2008-08-22 16:00:52.000000000 +0200 @@ -0,0 +1,14 @@ +This module matches packets based on the application layer data of +their connections. It uses regular expression matching to compare @@ -411,8 +388,3 @@ +Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be +specified before --l7proto. + ---- iptables-1.4.0rc1/extensions/.layer7-test 1969-12-31 18:00:00.000000000 -0600 -+++ iptables-1.4.0rc1-layer7/extensions/.layer7-test 2007-11-19 06:18:58.000000000 -0600 -@@ -0,0 +1,2 @@ -+#! /bin/sh -+[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7 diff --git a/package/iptables/patches/1.4.0/005-imq1.patch b/package/iptables/patches/1.4.1.1/005-imq1.patch index 63617076b..3c96a3bc3 100644 --- a/package/iptables/patches/1.4.0/005-imq1.patch +++ b/package/iptables/patches/1.4.1.1/005-imq1.patch @@ -1,12 +1,20 @@ ---- iptables-1.4.0.orig/extensions.orig/.IMQ-test6 Thu Jan 1 01:00:00 1970 -+++ iptables-1.4.0/extensions/.IMQ-test6 Mon Jun 16 10:12:47 2003 +--- iptables-1.4.1-rc3.orig/extensions/.IMQ-test 1970-01-01 10:00:00.000000000 +1000 ++++ iptables-1.4.1-rc3/extensions/.IMQ-test 2008-06-08 22:41:49.000000000 +1000 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ +diff -pruN iptables-1.4.1-rc3.orig/extensions/.IMQ-test6 iptables-1.4.1-rc3/extensions/.IMQ-test6 +--- iptables-1.4.1-rc3.orig/extensions/.IMQ-test6 1970-01-01 10:00:00.000000000 +1000 ++++ iptables-1.4.1-rc3/extensions/.IMQ-test6 2008-06-08 22:41:49.000000000 +1000 @@ -0,0 +1,3 @@ +#!/bin/sh +# True if IMQ target patch is applied. +[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_IMQ.h ] && echo IMQ ---- iptables-1.4.0.orig/extensions.orig/libip6t_IMQ.c Thu Jan 1 01:00:00 1970 -+++ iptables-1.4.0/extensions/libip6t_IMQ.c Mon Jun 16 10:12:47 2003 -@@ -0,0 +1,100 @@ +diff -pruN iptables-1.4.1-rc3.orig/extensions/libip6t_IMQ.c iptables-1.4.1-rc3/extensions/libip6t_IMQ.c +--- iptables-1.4.1-rc3.orig/extensions/libip6t_IMQ.c 1970-01-01 10:00:00.000000000 +1000 ++++ iptables-1.4.1-rc3/extensions/libip6t_IMQ.c 2008-06-08 22:46:57.000000000 +1000 +@@ -0,0 +1,89 @@ +/* Shared library add-on to iptables to add IMQ target support. */ +#include <stdio.h> +#include <string.h> @@ -18,23 +26,21 @@ +#include <linux/netfilter_ipv6/ip6t_IMQ.h> + +/* Function which prints out usage message. */ -+static void -+help(void) ++static void IMQ_help(void) +{ + printf( +"IMQ target v%s options:\n" +" --todev <N> enqueue to imq<N>, defaults to 0\n", -+IPTABLES_VERSION); ++XTABLES_VERSION); +} + -+static struct option opts[] = { ++static struct option IMQ_opts[] = { + { "todev", 1, 0, '1' }, + { 0 } +}; + +/* Initialize the target. */ -+static void -+init(struct xt_entry_target *t) ++static void IMQ_init(struct xt_entry_target *t) +{ + struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data; + @@ -43,8 +49,7 @@ + +/* Function which parses command options; returns true if it + ate an option */ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, ++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, + struct xt_entry_target **target) +{ @@ -63,14 +68,8 @@ + return 1; +} + -+static void -+final_check(unsigned int flags) -+{ -+} -+ +/* Prints out the targinfo. */ -+static void -+print(const void *ip, ++static void IMQ_print(const void *ip, + const struct xt_entry_target *target, + int numeric) +{ @@ -80,42 +79,35 @@ +} + +/* Saves the union ipt_targinfo in parsable form to stdout. */ -+static void -+save(const void *ip, const struct xt_entry_target *target) ++static void IMQ_save(const void *ip, const struct xt_entry_target *target) +{ + struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; + + printf("--todev %u", mr->todev); +} + -+static struct ip6tables_target imq = { -+ .next = NULL, ++static struct xtables_target imq = { + .name = "IMQ", -+ .version = IPTABLES_VERSION, -+ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), -+ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts ++ .version = XTABLES_VERSION, ++ .family = PF_INET6, ++ .size = XT_ALIGN(sizeof(struct ip6t_imq_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct ip6t_imq_info)), ++ .help = IMQ_help, ++ .init = IMQ_init, ++ .parse = IMQ_parse, ++ .print = IMQ_print, ++ .save = IMQ_save, ++ .extra_opts = IMQ_opts, +}; + -+static __attribute__((constructor)) void _init(void) ++void _init(void) +{ -+ register_target6(&imq); ++ xtables_register_target(&imq); +} ---- iptables-1.4.0.orig/extensions.orig/.IMQ-test Thu Jan 1 01:00:00 1970 -+++ iptables-1.4.0/extensions/.IMQ-test Mon Jun 16 10:12:47 2003 -@@ -0,0 +1,3 @@ -+#!/bin/sh -+# True if IMQ target patch is applied. -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ ---- iptables-1.4.0.orig/extensions.orig/libipt_IMQ.c Thu Jan 1 01:00:00 1970 -+++ iptables-1.4.0/extensions/libipt_IMQ.c Mon Jun 16 10:12:47 2003 -@@ -0,0 +1,100 @@ +diff -pruN iptables-1.4.1-rc3.orig/extensions/libipt_IMQ.c iptables-1.4.1-rc3/extensions/libipt_IMQ.c +--- iptables-1.4.1-rc3.orig/extensions/libipt_IMQ.c 1970-01-01 10:00:00.000000000 +1000 ++++ iptables-1.4.1-rc3/extensions/libipt_IMQ.c 2008-06-08 22:46:25.000000000 +1000 +@@ -0,0 +1,88 @@ +/* Shared library add-on to iptables to add IMQ target support. */ +#include <stdio.h> +#include <string.h> @@ -127,23 +119,21 @@ +#include <linux/netfilter_ipv4/ipt_IMQ.h> + +/* Function which prints out usage message. */ -+static void -+help(void) ++static void IMQ_help(void) +{ + printf( +"IMQ target v%s options:\n" +" --todev <N> enqueue to imq<N>, defaults to 0\n", -+IPTABLES_VERSION); ++XTABLES_VERSION); +} + -+static struct option opts[] = { ++static struct option IMQ_opts[] = { + { "todev", 1, 0, '1' }, + { 0 } +}; + +/* Initialize the target. */ -+static void -+init(struct xt_entry_target *t) ++static void IMQ_init(struct xt_entry_target *t) +{ + struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data; + @@ -152,10 +142,8 @@ + +/* Function which parses command options; returns true if it + ate an option */ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const void *entry, -+ struct xt_entry_target **target) ++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) +{ + struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data; + @@ -172,14 +160,8 @@ + return 1; +} + -+static void -+final_check(unsigned int flags) -+{ -+} -+ +/* Prints out the targinfo. */ -+static void -+print(const void *ip, ++static void IMQ_print(const void *ip, + const struct xt_entry_target *target, + int numeric) +{ @@ -189,31 +171,28 @@ +} + +/* Saves the union ipt_targinfo in parsable form to stdout. */ -+static void -+save(const void *ip, const struct xt_entry_target *target) ++static void IMQ_save(const void *ip, const struct xt_entry_target *target) +{ + struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; + + printf("--todev %u", mr->todev); +} + -+static struct iptables_target imq = { -+ .next = NULL, ++static struct xtables_target imq = { + .name = "IMQ", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts ++ .version = XTABLES_VERSION, ++ .family = PF_INET, ++ .size = XT_ALIGN(sizeof(struct ipt_imq_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct ipt_imq_info)), ++ .help = IMQ_help, ++ .init = IMQ_init, ++ .parse = IMQ_parse, ++ .print = IMQ_print, ++ .save = IMQ_save, ++ .extra_opts = IMQ_opts, +}; + -+static __attribute__((constructor)) void _init(void) ++void _init(void) +{ -+ register_target(&imq); ++ xtables_register_target(&imq); +} - diff --git a/package/iptables/patches/1.4.0/006-chaostables_0.8.patch b/package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch index a9eb14544..e1a7fca19 100644 --- a/package/iptables/patches/1.4.0/006-chaostables_0.8.patch +++ b/package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch @@ -46,7 +46,7 @@ Index: iptables-1.4.0/extensions/libxt_CHAOS.c + "CHAOS target v%s options:\n" + " --delude Enable DELUDE processing for TCP\n" + " --tarpit Enable TARPIT processing for TCP\n", -+ IPTABLES_VERSION); ++ XTABLES_VERSION); + return; +} + @@ -107,7 +107,7 @@ Index: iptables-1.4.0/extensions/libxt_CHAOS.c +} + +static struct xtables_target chaos_tg_reg = { -+ .version = IPTABLES_VERSION, ++ .version = XTABLES_VERSION, + .name = "CHAOS", + .family = AF_INET, + .size = XT_ALIGN(sizeof(struct xt_chaos_target_info)), @@ -195,7 +195,7 @@ Index: iptables-1.4.0/extensions/libxt_DELUDE.c +} + +static struct xtables_target delude_tg_reg = { -+ .version = IPTABLES_VERSION, ++ .version = XTABLES_VERSION, + .name = "DELUDE", + .family = AF_INET, + .size = XT_ALIGN(0), @@ -269,7 +269,7 @@ Index: iptables-1.4.0/extensions/libxt_portscan.c + " --synscan Match TCP SYN scans\n" + " --cnscan Match TCP Connect scans\n" + " --grscan Match Banner Grabbing scans\n", -+ IPTABLES_VERSION); ++ XTABLES_VERSION); + return; +} + @@ -341,7 +341,7 @@ Index: iptables-1.4.0/extensions/libxt_portscan.c +} + +static struct xtables_match portscan_mt_reg = { -+ .version = IPTABLES_VERSION, ++ .version = XTABLES_VERSION, + .name = "portscan", + .family = AF_INET, + .size = XT_ALIGN(sizeof(struct xt_portscan_match_info)), diff --git a/package/iptables/patches/1.4.0/007-tarpit_support.patch b/package/iptables/patches/1.4.1.1/007-tarpit_support.patch index f1914f90b..1ff3cbf7b 100644 --- a/package/iptables/patches/1.4.0/007-tarpit_support.patch +++ b/package/iptables/patches/1.4.1.1/007-tarpit_support.patch @@ -43,7 +43,7 @@ Index: iptables-1.4.0/extensions/libxt_TARPIT.c +static struct xtables_target tarpit_target = { + .family = AF_INET, + .name = "TARPIT", -+ .version = IPTABLES_VERSION, ++ .version = XTABLES_VERSION, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + .help = TARPIT_help, |