From 151238116d88b6bcb983175367754c905a4953f6 Mon Sep 17 00:00:00 2001 From: pavlov Date: Mon, 5 Mar 2007 01:38:44 +0000 Subject: trunk.. same deal as changeset:6526 git-svn-id: svn://svn.openwrt.org/openwrt/trunk@6527 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- package/iptables/patches/001-ipp2p-0.8.1rc1.patch | 454 ++++++++++++++++++++++ package/iptables/patches/002-layer7-1.5nbd.patch | 416 ++++++++++++++++++++ package/iptables/patches/004-multiport_v1.patch | 221 +++++++++++ package/iptables/patches/005-imq1.patch | 224 +++++++++++ package/iptables/patches/006-iprange-typesh.patch | 10 + package/iptables/patches/007-ifname_warning.patch | 28 ++ package/iptables/patches/008-chaostables.patch | 336 ++++++++++++++++ package/iptables/patches/01-ipp2p-0.8.1rc1.patch | 454 ---------------------- package/iptables/patches/02-layer7-1.5nbd.patch | 416 -------------------- package/iptables/patches/04-multiport_v1.patch | 221 ----------- package/iptables/patches/05-imq1.patch | 224 ----------- package/iptables/patches/06-iprange-typesh.patch | 10 - package/iptables/patches/07-ifname_warning.patch | 28 -- package/iptables/patches/08-chaostables.patch | 336 ---------------- 14 files changed, 1689 insertions(+), 1689 deletions(-) create mode 100644 package/iptables/patches/001-ipp2p-0.8.1rc1.patch create mode 100644 package/iptables/patches/002-layer7-1.5nbd.patch create mode 100644 package/iptables/patches/004-multiport_v1.patch create mode 100644 package/iptables/patches/005-imq1.patch create mode 100644 package/iptables/patches/006-iprange-typesh.patch create mode 100644 package/iptables/patches/007-ifname_warning.patch create mode 100644 package/iptables/patches/008-chaostables.patch delete mode 100644 package/iptables/patches/01-ipp2p-0.8.1rc1.patch delete mode 100644 package/iptables/patches/02-layer7-1.5nbd.patch delete mode 100644 package/iptables/patches/04-multiport_v1.patch delete mode 100644 package/iptables/patches/05-imq1.patch delete mode 100644 package/iptables/patches/06-iprange-typesh.patch delete mode 100644 package/iptables/patches/07-ifname_warning.patch delete mode 100644 package/iptables/patches/08-chaostables.patch (limited to 'package/iptables/patches') diff --git a/package/iptables/patches/001-ipp2p-0.8.1rc1.patch b/package/iptables/patches/001-ipp2p-0.8.1rc1.patch new file mode 100644 index 000000000..f7129b456 --- /dev/null +++ b/package/iptables/patches/001-ipp2p-0.8.1rc1.patch @@ -0,0 +1,454 @@ +diff -urN iptables.old/extensions/Makefile iptables.dev/extensions/Makefile +--- iptables.old/extensions/Makefile 2005-07-20 04:22:56.000000000 +0200 ++++ iptables.dev/extensions/Makefile 2006-03-23 14:42:28.000000000 +0100 +@@ -8,6 +8,10 @@ + PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG + PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner physdev standard tcp udp HL LOG NFQUEUE MARK TRACE + ++ ++# ipp2p ++PF_EXT_SLIB += ipp2p ++ + # Optionals + PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) + PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) +diff -urN iptables.old/extensions/libipt_ipp2p.c iptables.dev/extensions/libipt_ipp2p.c +--- iptables.old/extensions/libipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/libipt_ipp2p.c 2006-03-23 14:43:26.000000000 +0100 +@@ -0,0 +1,401 @@ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++static void ++help(void) ++{ ++ printf( ++ "IPP2P v%s options:\n" ++ " --ipp2p Grab all known p2p packets\n" ++ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n" ++ " --dc [TCP] All known Direct Connect packets\n" ++ " --kazaa [TCP&UDP] All known KaZaA packets\n" ++ " --gnu [TCP&UDP] All known Gnutella packets\n" ++ " --bit [TCP&UDP] All known BitTorrent packets\n" ++ " --apple [TCP] All known AppleJuice packets\n" ++ " --winmx [TCP] All known WinMX\n" ++ " --soul [TCP] All known SoulSeek\n" ++ " --ares [TCP] All known Ares\n\n" ++ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n" ++ " --mute [TCP] All known Mute packets\n" ++ " --waste [TCP] All known Waste packets\n" ++ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n" ++ " DEBUG SUPPPORT, use only if you know why\n" ++ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n" ++ "\nNote that the follwing options will have the same meaning:\n" ++ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n" ++ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" ++ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" ++ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" ++ "\nExamples:\n" ++ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" ++ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" ++ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" ++ , IPP2P_VERSION); ++} ++ ++static struct option opts[] = { ++ { "ipp2p", 0, 0, '1' }, ++ { "edk", 0, 0, '2' }, ++ { "dc", 0, 0, '7' }, ++ { "gnu", 0, 0, '9' }, ++ { "kazaa", 0, 0, 'a' }, ++ { "bit", 0, 0, 'b' }, ++ { "apple", 0, 0, 'c' }, ++ { "soul", 0, 0, 'd' }, ++ { "winmx", 0, 0, 'e' }, ++ { "ares", 0, 0, 'f' }, ++ { "mute", 0, 0, 'g' }, ++ { "waste", 0, 0, 'h' }, ++ { "xdcc", 0, 0, 'i' }, ++ { "debug", 0, 0, 'j' }, ++ {0} ++}; ++ ++ ++ ++static void ++init(struct ipt_entry_match *m, unsigned int *nfcache) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; ++ ++ *nfcache |= NFC_UNKNOWN; ++ ++ /*init the module with default values*/ ++ info->cmd = 0; ++ info->debug = 0; ++ ++} ++ ++ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, ++ unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': /*cmd: ipp2p*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags) != 0) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += SHORT_HAND_IPP2P; ++ info->cmd = *flags; ++ break; ++ ++ case '2': /*cmd: edk*/ ++ if ((*flags & IPP2P_EDK) == IPP2P_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--edk' may only be " ++ "specified once"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_EDK; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '7': /*cmd: dc*/ ++ if ((*flags & IPP2P_DC) == IPP2P_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--dc' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DC; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '9': /*cmd: gnu*/ ++ if ((*flags & IPP2P_GNU) == IPP2P_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--gnu' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_GNU; ++ info->cmd = *flags; ++ break; ++ ++ case 'a': /*cmd: kazaa*/ ++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--kazaa' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_KAZAA; ++ info->cmd = *flags; ++ break; ++ ++ case 'b': /*cmd: bit*/ ++ if ((*flags & IPP2P_BIT) == IPP2P_BIT) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--bit' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_BIT; ++ info->cmd = *flags; ++ break; ++ ++ case 'c': /*cmd: apple*/ ++ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--apple' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_APPLE; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'd': /*cmd: soul*/ ++ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--soul' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_SOUL; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'e': /*cmd: winmx*/ ++ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--winmx' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WINMX; ++ info->cmd = *flags; ++ break; ++ ++ case 'f': /*cmd: ares*/ ++ if ((*flags & IPP2P_ARES) == IPP2P_ARES) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_ARES; ++ info->cmd = *flags; ++ break; ++ ++ case 'g': /*cmd: mute*/ ++ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--mute' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_MUTE; ++ info->cmd = *flags; ++ break; ++ case 'h': /*cmd: waste*/ ++ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--waste' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WASTE; ++ info->cmd = *flags; ++ break; ++ case 'i': /*cmd: xdcc*/ ++ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_XDCC; ++ info->cmd = *flags; ++ break; ++ ++ case 'j': /*cmd: debug*/ ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ info->debug = 1; ++ break; ++ ++ default: ++// exit_error(PARAMETER_PROBLEM, ++// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++ return 0; ++ } ++ return 1; ++} ++ ++ ++static void ++final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++} ++ ++ ++ ++static void ++print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++ int numeric) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ printf("ipp2p v%s", IPP2P_VERSION); ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p"); ++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data"); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa"); ++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data"); ++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data"); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu"); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk"); ++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data"); ++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data"); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc"); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit"); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple"); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul"); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx"); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares"); ++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); ++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); ++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); ++ if (info->debug != 0) printf(" --debug"); ++ printf(" "); ++} ++ ++ ++ ++static void ++save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p "); ++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data "); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa "); ++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data "); ++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data "); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu "); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk "); ++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data "); ++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data "); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc "); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit "); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple "); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul "); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx "); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares "); ++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); ++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); ++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); ++ if (info->debug != 0) printf("--debug "); ++} ++ ++ ++ ++ ++static ++struct iptables_match ipp2p= ++{ ++ .next = NULL, ++ .name = "ipp2p", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++ ++ ++void _init(void) ++{ ++ register_match(&ipp2p); ++} ++ +diff -urN iptables.old/include/linux/netfilter_ipv4/ipt_ipp2p.h iptables.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h +--- iptables.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h 2006-03-23 14:44:26.000000000 +0100 +@@ -0,0 +1,31 @@ ++#ifndef __IPT_IPP2P_H ++#define __IPT_IPP2P_H ++#define IPP2P_VERSION "0.8.1_rc1" ++ ++struct ipt_p2p_info { ++ int cmd; ++ int debug; ++}; ++ ++#endif //__IPT_IPP2P_H ++ ++#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ ++//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ ++#define SHORT_HAND_NONE 5 /* no short hand*/ ++ ++#define IPP2P_EDK (1 << 1) ++#define IPP2P_DATA_KAZAA (1 << 2) ++#define IPP2P_DATA_EDK (1 << 3) ++#define IPP2P_DATA_DC (1 << 4) ++#define IPP2P_DC (1 << 5) ++#define IPP2P_DATA_GNU (1 << 6) ++#define IPP2P_GNU (1 << 7) ++#define IPP2P_KAZAA (1 << 8) ++#define IPP2P_BIT (1 << 9) ++#define IPP2P_APPLE (1 << 10) ++#define IPP2P_SOUL (1 << 11) ++#define IPP2P_WINMX (1 << 12) ++#define IPP2P_ARES (1 << 13) ++#define IPP2P_MUTE (1 << 14) ++#define IPP2P_WASTE (1 << 15) ++#define IPP2P_XDCC (1 << 16) diff --git a/package/iptables/patches/002-layer7-1.5nbd.patch b/package/iptables/patches/002-layer7-1.5nbd.patch new file mode 100644 index 000000000..95c62a860 --- /dev/null +++ b/package/iptables/patches/002-layer7-1.5nbd.patch @@ -0,0 +1,416 @@ +diff -urN iptables.old/extensions/.layer7-test iptables.dev/extensions/.layer7-test +--- iptables.old/extensions/.layer7-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/.layer7-test 2005-11-10 16:57:51.819381000 +0100 +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7 +diff -urN iptables.old/extensions/ipt_layer7.h iptables.dev/extensions/ipt_layer7.h +--- iptables.old/extensions/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/ipt_layer7.h 2005-11-10 17:46:32.933599750 +0100 +@@ -0,0 +1,27 @@ ++/* ++ By Matthew Strait , Dec 2003. ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++*/ ++ ++#ifndef _IPT_LAYER7_H ++#define _IPT_LAYER7_H ++ ++#define MAX_PATTERN_LEN 8192 ++#define MAX_PROTOCOL_LEN 256 ++ ++typedef char *(*proc_ipt_search) (char *, char, char *); ++ ++struct ipt_layer7_info { ++ char protocol[MAX_PROTOCOL_LEN]; ++ char invert:1; ++ char pattern[MAX_PATTERN_LEN]; ++ char pkt; ++}; ++ ++#endif /* _IPT_LAYER7_H */ +diff -urN iptables.old/extensions/libipt_layer7.c iptables.dev/extensions/libipt_layer7.c +--- iptables.old/extensions/libipt_layer7.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/libipt_layer7.c 2005-11-10 17:47:01.399378750 +0100 +@@ -0,0 +1,358 @@ ++/* ++ Shared library add-on to iptables to add layer 7 matching support. ++ ++ By Matthew Strait , Oct 2003. ++ ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++ ++ Based on libipt_string.c (C) 2000 Emmanuel Roger ++*/ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include "ipt_layer7.h" ++ ++#define MAX_FN_LEN 256 ++ ++static char l7dir[MAX_FN_LEN] = "\0"; ++ ++/* Function which prints out usage message. */ ++static void help(void) ++{ ++ printf( ++ "LAYER7 match v%s options:\n" ++ "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" ++ " (--l7dir must be specified before --l7proto if used!)\n" ++ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n" ++ "--l7pkt : Skip connection tracking and match individual packets\n", ++ IPTABLES_VERSION); ++ fputc('\n', stdout); ++} ++ ++static struct option opts[] = { ++ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, ++ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, ++ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' }, ++ { .name = 0 } ++}; ++ ++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ ++int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info) ++{ ++ FILE * f; ++ char * line = NULL; ++ size_t len = 0; ++ ++ enum { protocol, pattern, done } datatype = protocol; ++ ++ f = fopen(filename, "r"); ++ ++ if(!f) ++ return 0; ++ ++ while(getline(&line, &len, f) != -1) ++ { ++ if(strlen(line) < 2 || line[0] == '#') ++ continue; ++ ++ /* strip the pesky newline... */ ++ if(line[strlen(line) - 1] == '\n') ++ line[strlen(line) - 1] = '\0'; ++ ++ if(datatype == protocol) ++ { ++ if(strcmp(line, protoname)) ++ exit_error(OTHER_PROBLEM, ++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", ++ protoname, filename); ++ ++ if(strlen(line) >= MAX_PROTOCOL_LEN) ++ exit_error(PARAMETER_PROBLEM, ++ "Protocol name in %s too long!", filename); ++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); ++ ++ datatype = pattern; ++ } ++ else if(datatype == pattern) ++ { ++ if(strlen(line) >= MAX_PATTERN_LEN) ++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); ++ strncpy(info->pattern, line, MAX_PATTERN_LEN); ++ ++ datatype = done; ++ break; ++ } ++ else ++ exit_error(OTHER_PROBLEM, "Internal error"); ++ } ++ ++ if(datatype != done) ++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); ++ ++ if(line) free(line); ++ fclose(f); ++ ++ return 1; ++ ++/* ++ fprintf(stderr, "protocol: %s\npattern: %s\n\n", ++ info->protocol, ++ info->pattern); ++*/ ++} ++ ++static int hex2dec(char c) ++{ ++ switch (c) ++ { ++ case '0' ... '9': ++ return c - '0'; ++ case 'a' ... 'f': ++ return c - 'a' + 10; ++ case 'A' ... 'F': ++ return c - 'A' + 10; ++ default: ++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); ++ return 0; ++ } ++} ++ ++/* takes a string with \xHH escapes and returns one with the characters ++they stand for */ ++static char * pre_process(char * s) ++{ ++ char * result = malloc(strlen(s) + 1); ++ int sindex = 0, rindex = 0; ++ while( sindex < strlen(s) ) ++ { ++ if( sindex + 3 < strlen(s) && ++ s[sindex] == '\\' && s[sindex+1] == 'x' && ++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) ++ { ++ /* carefully remember to call tolower here... */ ++ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + ++ hex2dec(s[sindex + 3] ) ); ++ sindex += 3; /* 4 total */ ++ } ++ else ++ result[rindex] = tolower(s[sindex]); ++ ++ sindex++; ++ rindex++; ++ } ++ result[rindex] = '\0'; ++ ++ return result; ++} ++ ++#define MAX_SUBDIRS 128 ++char ** readl7dir(char * dirname) ++{ ++ DIR * scratchdir; ++ struct dirent ** namelist; ++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); ++ ++ int n, d = 1; ++ subdirs[0] = ""; ++ ++ n = scandir(dirname, &namelist, 0, alphasort); ++ ++ if (n < 0) ++ { ++ perror("scandir"); ++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); ++ } ++ else ++ { ++ while(n--) ++ { ++ char fulldirname[MAX_FN_LEN]; ++ ++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); ++ ++ if((scratchdir = opendir(fulldirname)) != NULL) ++ { ++ closedir(scratchdir); ++ ++ if(!strcmp(namelist[n]->d_name, ".") || ++ !strcmp(namelist[n]->d_name, "..")) ++ /* do nothing */ ; ++ else ++ { ++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); ++ strcpy(subdirs[d], namelist[n]->d_name); ++ d++; ++ if(d >= MAX_SUBDIRS - 1) ++ { ++ fprintf(stderr, ++ "Too many subdirectories, skipping the rest!\n"); ++ break; ++ } ++ } ++ } ++ free(namelist[n]); ++ } ++ free(namelist); ++ } ++ ++ subdirs[d] = NULL; ++ ++ return subdirs; ++} ++ ++static void ++parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info) ++{ ++ char filename[MAX_FN_LEN]; ++ char * dir = NULL; ++ char ** subdirs; ++ int n = 0, done = 0; ++ ++ if(strlen(l7dir) > 0) ++ dir = l7dir; ++ else ++ dir = "/etc/l7-protocols"; ++ ++ subdirs = readl7dir(dir); ++ ++ while(subdirs[n] != NULL) ++ { ++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); ++ ++ //fprintf(stderr, "Trying to find pattern in %s ... ", filename); ++ ++ if(c > MAX_FN_LEN) ++ { ++ exit_error(OTHER_PROBLEM, ++ "Filename beginning with %s is too long!\n", filename); ++ } ++ ++ /* read in the pattern from the file */ ++ if(parse_protocol_file(filename, s, info)) ++ { ++ //fprintf(stderr, "found\n"); ++ done = 1; ++ break; ++ } ++ ++ //fprintf(stderr, "not found\n"); ++ ++ n++; ++ } ++ ++ if(!done) ++ exit_error(OTHER_PROBLEM, ++ "Couldn't find a pattern definition file for %s.\n", s); ++ ++ /* process \xHH escapes and tolower everything. (our regex lib has no ++ case insensitivity option.) */ ++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); ++} ++ ++/* Function which parses command options; returns true if it ate an option */ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ struct ipt_layer7_info *layer7info = ++ (struct ipt_layer7_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': ++ check_inverse(optarg, &invert, &optind, 0); ++ parse_layer7_protocol(argv[optind-1], layer7info); ++ if (invert) ++ layer7info->invert = 1; ++ *flags = 1; ++ break; ++ ++ case '2': ++ /* not going to use this, but maybe we need to strip a ! anyway (?) */ ++ check_inverse(optarg, &invert, &optind, 0); ++ ++ if(strlen(argv[optind-1]) >= MAX_FN_LEN) ++ exit_error(PARAMETER_PROBLEM, "directory name too long\n"); ++ ++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); ++ ++ *flags = 1; ++ break; ++ case '3': ++ layer7info->pkt = 1; ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* Final check; must have specified --pattern. */ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "LAYER7 match: You must specify `--pattern'"); ++} ++ ++static void print_protocol(char s[], int invert, int numeric) ++{ ++ fputs("l7proto ", stdout); ++ if (invert) fputc('!', stdout); ++ printf("%s ", s); ++} ++ ++/* Prints out the matchinfo. */ ++static void print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++ int numeric) ++{ ++ printf("LAYER7 "); ++ ++ print_protocol(((struct ipt_layer7_info *)match->data)->protocol, ++ ((struct ipt_layer7_info *)match->data)->invert, numeric); ++ ++ if (((struct ipt_layer7_info *)match->data)->pkt) ++ printf("l7pkt "); ++} ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ++{ ++ const struct ipt_layer7_info *info = ++ (const struct ipt_layer7_info*) match->data; ++ ++ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol); ++} ++ ++static struct iptables_match layer7 = { ++ .name = "layer7", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)), ++ .help = &help, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_match(&layer7); ++} +diff -urN iptables.old/extensions/libipt_layer7.man iptables.dev/extensions/libipt_layer7.man +--- iptables.old/extensions/libipt_layer7.man 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/libipt_layer7.man 2005-11-10 16:57:51.823381250 +0100 +@@ -0,0 +1,13 @@ ++This module matches packets based on the application layer data of ++their connections. It uses regular expression matching to compare ++the application layer data to regular expressions found it the layer7 ++configuration files. This is an experimental module which can be found at ++http://l7-filter.sf.net. It takes two options. ++.TP ++.BI "--l7proto " "\fIprotocol\fP" ++Match the specified protocol. The protocol name must match a file ++name in /etc/l7-protocols/ ++.TP ++.BI "--l7dir " "\fIdirectory\fP" ++Use \fIdirectory\fP instead of /etc/l7-protocols/ ++ diff --git a/package/iptables/patches/004-multiport_v1.patch b/package/iptables/patches/004-multiport_v1.patch new file mode 100644 index 000000000..90b5144c7 --- /dev/null +++ b/package/iptables/patches/004-multiport_v1.patch @@ -0,0 +1,221 @@ +diff -urN iptables.old/extensions/libipt_multiport.c iptables.dev/extensions/libipt_multiport.c +--- iptables.old/extensions/libipt_multiport.c 2005-02-19 20:19:17.000000000 +0100 ++++ iptables.dev/extensions/libipt_multiport.c 2006-02-04 05:46:12.154127750 +0100 +@@ -8,24 +8,6 @@ + /* To ensure that iptables compiles with an old kernel */ + #include "../include/linux/netfilter_ipv4/ipt_multiport.h" + +-/* Function which prints out usage message. */ +-static void +-help(void) +-{ +- printf( +-"multiport v%s options:\n" +-" --source-ports port[,port,port...]\n" +-" --sports ...\n" +-" match source port(s)\n" +-" --destination-ports port[,port,port...]\n" +-" --dports ...\n" +-" match destination port(s)\n" +-" --ports port[,port,port]\n" +-" match both source and destination port(s)\n" +-" NOTE: this kernel does not support port ranges in multiport.\n", +-IPTABLES_VERSION); +-} +- + static void + help_v1(void) + { +@@ -75,26 +57,6 @@ + "invalid port/service `%s' specified", port); + } + +-static unsigned int +-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) +-{ +- char *buffer, *cp, *next; +- unsigned int i; +- +- buffer = strdup(portstring); +- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); +- +- for (cp=buffer, i=0; cp && idata; +- +- switch (c) { +- case '1': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(entry); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = IPT_MULTIPORT_SOURCE; +- break; +- +- case '2': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(entry); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = IPT_MULTIPORT_DESTINATION; +- break; +- +- case '3': +- check_inverse(argv[optind-1], &invert, &optind, 0); +- proto = check_proto(entry); +- multiinfo->count = parse_multi_ports(argv[optind-1], +- multiinfo->ports, proto); +- multiinfo->flags = IPT_MULTIPORT_EITHER; +- break; +- +- default: +- return 0; +- } +- +- if (invert) +- exit_error(PARAMETER_PROBLEM, +- "multiport does not support invert"); +- +- if (*flags) +- exit_error(PARAMETER_PROBLEM, +- "multiport can only have one option"); +- *flags = 1; +- return 1; +-} +- + static int + parse_v1(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, +@@ -289,43 +199,6 @@ + printf("%s", service); + } + +-/* Prints out the matchinfo. */ +-static void +-print(const struct ipt_ip *ip, +- const struct ipt_entry_match *match, +- int numeric) +-{ +- const struct ipt_multiport *multiinfo +- = (const struct ipt_multiport *)match->data; +- unsigned int i; +- +- printf("multiport "); +- +- switch (multiinfo->flags) { +- case IPT_MULTIPORT_SOURCE: +- printf("sports "); +- break; +- +- case IPT_MULTIPORT_DESTINATION: +- printf("dports "); +- break; +- +- case IPT_MULTIPORT_EITHER: +- printf("ports "); +- break; +- +- default: +- printf("ERROR "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], ip->proto, numeric); +- } +- printf(" "); +-} +- + static void + print_v1(const struct ipt_ip *ip, + const struct ipt_entry_match *match, +@@ -369,34 +242,6 @@ + printf(" "); + } + +-/* Saves the union ipt_matchinfo in parsable form to stdout. */ +-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +-{ +- const struct ipt_multiport *multiinfo +- = (const struct ipt_multiport *)match->data; +- unsigned int i; +- +- switch (multiinfo->flags) { +- case IPT_MULTIPORT_SOURCE: +- printf("--sports "); +- break; +- +- case IPT_MULTIPORT_DESTINATION: +- printf("--dports "); +- break; +- +- case IPT_MULTIPORT_EITHER: +- printf("--ports "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], ip->proto, 1); +- } +- printf(" "); +-} +- + static void save_v1(const struct ipt_ip *ip, + const struct ipt_entry_match *match) + { +@@ -432,19 +277,20 @@ + printf(" "); + } + ++ + static struct iptables_match multiport = { + .next = NULL, + .name = "multiport", +- .revision = 0, + .version = IPTABLES_VERSION, +- .size = IPT_ALIGN(sizeof(struct ipt_multiport)), +- .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport)), +- .help = &help, ++ .revision = 0, ++ .size = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), ++ .help = &help_v1, + .init = &init, +- .parse = &parse, ++ .parse = &parse_v1, + .final_check = &final_check, +- .print = &print, +- .save = &save, ++ .print = &print_v1, ++ .save = &save_v1, + .extra_opts = opts + }; + diff --git a/package/iptables/patches/005-imq1.patch b/package/iptables/patches/005-imq1.patch new file mode 100644 index 000000000..459189030 --- /dev/null +++ b/package/iptables/patches/005-imq1.patch @@ -0,0 +1,224 @@ +diff -urN iptables.old/extensions/.IMQ-test iptables.dev/extensions/.IMQ-test +--- iptables.old/extensions/.IMQ-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/.IMQ-test 2005-10-09 01:00:36.358959750 +0200 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IMQ.c ] && echo IMQ +diff -urN iptables.old/extensions/.IMQ-test6 iptables.dev/extensions/.IMQ-test6 +--- iptables.old/extensions/.IMQ-test6 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/.IMQ-test6 2005-10-09 01:00:36.358959750 +0200 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_IMQ.c ] && echo IMQ +diff -urN iptables.old/extensions/libip6t_IMQ.c iptables.dev/extensions/libip6t_IMQ.c +--- iptables.old/extensions/libip6t_IMQ.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/libip6t_IMQ.c 2005-10-09 01:00:36.358959750 +0200 +@@ -0,0 +1,101 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Function which prints out usage message. */ ++static void ++help(void) ++{ ++ printf( ++"IMQ target v%s options:\n" ++" --todev enqueue to imq, defaults to 0\n", ++IPTABLES_VERSION); ++} ++ ++static struct option opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void ++init(struct ip6t_entry_target *t, unsigned int *nfcache) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data; ++ ++ mr->todev = 0; ++ *nfcache |= NFC_UNKNOWN; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ip6t_entry *entry, ++ struct ip6t_entry_target **target) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (check_inverse(optarg, &invert, NULL, 0)) ++ exit_error(PARAMETER_PROBLEM, ++ "Unexpected `!' after --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void ++final_check(unsigned int flags) ++{ ++} ++ ++/* Prints out the targinfo. */ ++static void ++print(const struct ip6t_ip6 *ip, ++ const struct ip6t_entry_target *target, ++ int numeric) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void ++save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct ip6tables_target imq = { ++ .next = NULL, ++ .name = "IMQ", ++ .version = IPTABLES_VERSION, ++ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), ++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_target6(&imq); ++} +diff -urN iptables.old/extensions/libipt_IMQ.c iptables.dev/extensions/libipt_IMQ.c +--- iptables.old/extensions/libipt_IMQ.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.dev/extensions/libipt_IMQ.c 2005-10-09 01:00:36.358959750 +0200 +@@ -0,0 +1,101 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Function which prints out usage message. */ ++static void ++help(void) ++{ ++ printf( ++"IMQ target v%s options:\n" ++" --todev enqueue to imq, defaults to 0\n", ++IPTABLES_VERSION); ++} ++ ++static struct option opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void ++init(struct ipt_entry_target *t, unsigned int *nfcache) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data; ++ ++ mr->todev = 0; ++ *nfcache |= NFC_UNKNOWN; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, ++ struct ipt_entry_target **target) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (check_inverse(optarg, &invert, NULL, 0)) ++ exit_error(PARAMETER_PROBLEM, ++ "Unexpected `!' after --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void ++final_check(unsigned int flags) ++{ ++} ++ ++/* Prints out the targinfo. */ ++static void ++print(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target, ++ int numeric) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void ++save(const struct ipt_ip *ip, const struct ipt_entry_target *target) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct iptables_target imq = { ++ .next = NULL, ++ .name = "IMQ", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_target(&imq); ++} diff --git a/package/iptables/patches/006-iprange-typesh.patch b/package/iptables/patches/006-iprange-typesh.patch new file mode 100644 index 000000000..2dc60d44b --- /dev/null +++ b/package/iptables/patches/006-iprange-typesh.patch @@ -0,0 +1,10 @@ +--- iptables-1.3.5/extensions/libipt_iprange.c.orig 2006-12-05 19:28:58.000000000 +0100 ++++ iptables-1.3.5/extensions/libipt_iprange.c 2006-12-05 19:30:28.000000000 +0100 +@@ -6,6 +6,7 @@ + #include + + #include ++#include + #include + + /* Function which prints out usage message. */ diff --git a/package/iptables/patches/007-ifname_warning.patch b/package/iptables/patches/007-ifname_warning.patch new file mode 100644 index 000000000..d6ffe1384 --- /dev/null +++ b/package/iptables/patches/007-ifname_warning.patch @@ -0,0 +1,28 @@ +diff -ur iptables.old/ip6tables.c iptables.dev/ip6tables.c +--- iptables.old/ip6tables.c 2006-01-30 09:43:12.000000000 +0100 ++++ iptables.dev/ip6tables.c 2007-01-02 00:29:50.000000000 +0100 +@@ -857,8 +857,9 @@ + for (i = 0; vianame[i]; i++) { + if (!isalnum(vianame[i]) + && vianame[i] != '_' ++ && vianame[i] != '-' + && vianame[i] != '.') { +- printf("Warning: wierd character in interface" ++ printf("Warning: weird character in interface" + " `%s' (No aliases, :, ! or *).\n", + vianame); + break; +diff -ur iptables.old/iptables.c iptables.dev/iptables.c +--- iptables.old/iptables.c 2006-01-30 09:43:09.000000000 +0100 ++++ iptables.dev/iptables.c 2007-01-02 00:29:38.000000000 +0100 +@@ -805,8 +805,9 @@ + for (i = 0; vianame[i]; i++) { + if (!isalnum(vianame[i]) + && vianame[i] != '_' ++ && vianame[i] != '-' + && vianame[i] != '.') { +- printf("Warning: wierd character in interface" ++ printf("Warning: weird character in interface" + " `%s' (No aliases, :, ! or *).\n", + vianame); + break; diff --git a/package/iptables/patches/008-chaostables.patch b/package/iptables/patches/008-chaostables.patch new file mode 100644 index 000000000..7fc1aab45 --- /dev/null +++ b/package/iptables/patches/008-chaostables.patch @@ -0,0 +1,336 @@ +diff -ruN iptables-1.3.5.orig/extensions/.CHAOS-test iptables-1.3.5/extensions/.CHAOS-test +--- iptables-1.3.5.orig/extensions/.CHAOS-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/.CHAOS-test 2007-01-09 16:05:23.251885840 +0100 +@@ -0,0 +1,2 @@ ++#!/bin/sh ++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"; +diff -ruN iptables-1.3.5.orig/extensions/.DELUDE-test iptables-1.3.5/extensions/.DELUDE-test +--- iptables-1.3.5.orig/extensions/.DELUDE-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/.DELUDE-test 2007-01-09 16:05:18.104057722 +0100 +@@ -0,0 +1,2 @@ ++#!/bin/sh ++echo "DELUDE"; +diff -ruN iptables-1.3.5.orig/extensions/libipt_CHAOS.c iptables-1.3.5/extensions/libipt_CHAOS.c +--- iptables-1.3.5.orig/extensions/libipt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/libipt_CHAOS.c 2007-01-09 16:05:23.251885840 +0100 +@@ -0,0 +1,111 @@ ++/* ++ CHAOS target for iptables ++ ++ Copyright © Jan Engelhardt , 2006 - 2007 ++ released under the terms of the GNU General Public ++ License version 2.x and only versions 2.x. ++*/ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++static void libipt_chaos_help(void) ++{ ++ printf( ++ "CHAOS target v%s options:\n" ++ " --delude Enable DELUDE processing for TCP\n" ++ " --tarpit Enable TARPIT processing for TCP\n", ++ IPTABLES_VERSION); ++ return; ++} ++ ++static int libipt_chaos_parse(int c, char **argv, int invert, ++ unsigned int *flags, const struct ipt_entry *entry, ++ struct ipt_entry_target **target) ++{ ++ struct xt_chaos_info *info = (void *)((*target)->data); ++ switch(c) { ++ case 'd': ++ info->variant = XTCHAOS_DELUDE; ++ *flags |= 0x02; ++ return 1; ++ case 't': ++ info->variant = XTCHAOS_TARPIT; ++ *flags |= 0x01; ++ return 1; ++ } ++ return 0; ++} ++ ++static void libipt_chaos_check(unsigned int flags) ++{ ++ if(flags != 0x03) ++ return; ++ /* If flags == 0x03, both were specified, which should not be. */ ++ exit_error(PARAMETER_PROBLEM, ++ "CHAOS: only one of --tarpit or --delude may be specified"); ++ return; ++} ++ ++static void libipt_chaos_print(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target, int numeric) ++{ ++ const struct xt_chaos_info *info = (const void *)target->data; ++ switch(info->variant) { ++ case XTCHAOS_DELUDE: ++ printf("DELUDE "); ++ break; ++ case XTCHAOS_TARPIT: ++ printf("TARPIT "); ++ break; ++ default: ++ break; ++ } ++ return; ++} ++ ++static void libipt_chaos_save(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target) ++{ ++ const struct xt_chaos_info *info = (const void *)target->data; ++ switch(info->variant) { ++ case XTCHAOS_DELUDE: ++ printf("--delude "); ++ break; ++ case XTCHAOS_TARPIT: ++ printf("--tarpit "); ++ break; ++ default: ++ break; ++ } ++ return; ++} ++ ++static struct option libipt_chaos_opts[] = { ++ {"delude", 0, NULL, 'd'}, ++ {"tarpit", 0, NULL, 't'}, ++ {NULL}, ++}; ++ ++static struct iptables_target libipt_chaos_info = { ++ .name = "CHAOS", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct xt_chaos_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)), ++ .help = libipt_chaos_help, ++ .parse = libipt_chaos_parse, ++ .final_check = libipt_chaos_check, ++ .print = libipt_chaos_print, ++ .save = libipt_chaos_save, ++ .extra_opts = libipt_chaos_opts, ++}; ++ ++static __attribute__((constructor)) void libipt_chaos_init(void) ++{ ++ register_target(&libipt_chaos_info); ++ return; ++} +diff -ruN iptables-1.3.5.orig/extensions/libipt_DELUDE.c iptables-1.3.5/extensions/libipt_DELUDE.c +--- iptables-1.3.5.orig/extensions/libipt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/libipt_DELUDE.c 2007-01-09 16:05:18.104057722 +0100 +@@ -0,0 +1,66 @@ ++/* ++ DELUDE target for iptables ++ ++ Copyright © Jan Engelhardt , 2006 - 2007 ++ released under the terms of the GNU General Public ++ License version 2.x and only versions 2.x. ++*/ ++#include ++#include ++#include ++ ++#include ++#include ++ ++static void libipt_delude_help(void) ++{ ++ printf("DELUDE takes no options\n"); ++ return; ++} ++ ++static int libipt_delude_parse(int c, char **argv, int invert, ++ unsigned int *flags, const struct ipt_entry *entry, ++ struct ipt_entry_target **target) ++{ ++ return 0; ++} ++ ++static void libipt_delude_check(unsigned int flags) ++{ ++ return; ++} ++ ++static void libipt_delude_print(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target, int numeric) ++{ ++ return; ++} ++ ++static void libipt_delude_save(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target) ++{ ++ return; ++} ++ ++static struct option libipt_delude_opts[] = { ++ {NULL}, ++}; ++ ++static struct iptables_target libipt_delude_info = { ++ .name = "DELUDE", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(0), ++ .userspacesize = IPT_ALIGN(0), ++ .help = libipt_delude_help, ++ .parse = libipt_delude_parse, ++ .final_check = libipt_delude_check, ++ .print = libipt_delude_print, ++ .save = libipt_delude_save, ++ .extra_opts = libipt_delude_opts, ++}; ++ ++static __attribute__((constructor)) void libipt_delude_init(void) ++{ ++ register_target(&libipt_delude_info); ++ return; ++} +diff -ruN iptables-1.3.5.orig/extensions/libipt_portscan.c iptables-1.3.5/extensions/libipt_portscan.c +--- iptables-1.3.5.orig/extensions/libipt_portscan.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/libipt_portscan.c 2007-01-09 16:05:14.228187134 +0100 +@@ -0,0 +1,129 @@ ++/* ++ portscan match for iptables ++ ++ Copyright © Jan Engelhardt , 2006 - 2007 ++ released under the terms of the GNU General Public ++ License version 2.x and only versions 2.x. ++*/ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++static void libipt_portscan_help(void) ++{ ++ printf( ++ "portscan match v%s options:\n" ++ "(Combining them will make them match by OR-logic)\n" ++ " --stealth Match TCP Stealth packets\n" ++ " --synscan Match TCP SYN scans\n" ++ " --cnscan Match TCP Connect scans\n" ++ " --grscan Match Banner Grabbing scans\n", ++ IPTABLES_VERSION); ++ return; ++} ++ ++static void libipt_portscan_mtinit(struct ipt_entry_match *match, ++ unsigned int *nfcache) ++{ ++ /* Cannot cache this */ ++ *nfcache |= NFC_UNKNOWN; ++ return; ++} ++ ++static int libipt_portscan_parse(int c, char **argv, int invert, ++ unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc, ++ struct ipt_entry_match **match) ++{ ++ struct xt_portscan_info *info = (void *)((*match)->data); ++ ++ switch(c) { ++ case 'c': ++ info->match_cn = 1; ++ return 1; ++ case 'g': ++ info->match_gr = 1; ++ return 1; ++ case 's': ++ info->match_syn = 1; ++ return 1; ++ case 'x': ++ info->match_stealth = 1; ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++static void libipt_portscan_check(unsigned int flags) ++{ ++ return; ++} ++ ++static void libipt_portscan_print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, int numeric) ++{ ++ const struct xt_portscan_info *info = (const void *)(match->data); ++ const char *s = ""; ++ ++ printf("portscan "); ++ if(info->match_stealth) { ++ printf("STEALTH"); ++ s = ","; ++ } ++ if(info->match_syn) { ++ printf("%sSYNSCAN", s); ++ s = ","; ++ } ++ if(info->match_cn) { ++ printf("%sCNSCAN", s); ++ s = ","; ++ } ++ if(info->match_gr) ++ printf("%sGRSCAN", s); ++ printf(" "); ++ return; ++} ++ ++static void libipt_portscan_save(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match) ++{ ++ const struct xt_portscan_info *info = (const void *)(match->data); ++ if(info->match_stealth) printf("--stealth "); ++ if(info->match_syn) printf("--synscan "); ++ if(info->match_cn) printf("--cnscan "); ++ if(info->match_gr) printf("--grscan "); ++ return; ++} ++ ++static struct option libipt_portscan_opts[] = { ++ {"stealth", 0, NULL, 'x'}, ++ {"synscan", 0, NULL, 's'}, ++ {"cnscan", 0, NULL, 'c'}, ++ {"grscan", 0, NULL, 'g'}, ++ {NULL}, ++}; ++ ++static struct iptables_match libipt_portscan_info = { ++ .name = "portscan", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct xt_portscan_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)), ++ .help = libipt_portscan_help, ++ .init = libipt_portscan_mtinit, ++ .parse = libipt_portscan_parse, ++ .final_check = libipt_portscan_check, ++ .print = libipt_portscan_print, ++ .save = libipt_portscan_save, ++ .extra_opts = libipt_portscan_opts, ++}; ++ ++static __attribute__((constructor)) void libipt_portscan_init(void) ++{ ++ register_match(&libipt_portscan_info); ++ return; ++} +diff -ruN iptables-1.3.5.orig/extensions/.portscan-test iptables-1.3.5/extensions/.portscan-test +--- iptables-1.3.5.orig/extensions/.portscan-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/.portscan-test 2007-01-09 16:05:14.228187134 +0100 +@@ -0,0 +1,2 @@ ++#!/bin/sh ++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan"; diff --git a/package/iptables/patches/01-ipp2p-0.8.1rc1.patch b/package/iptables/patches/01-ipp2p-0.8.1rc1.patch deleted file mode 100644 index f7129b456..000000000 --- a/package/iptables/patches/01-ipp2p-0.8.1rc1.patch +++ /dev/null @@ -1,454 +0,0 @@ -diff -urN iptables.old/extensions/Makefile iptables.dev/extensions/Makefile ---- iptables.old/extensions/Makefile 2005-07-20 04:22:56.000000000 +0200 -+++ iptables.dev/extensions/Makefile 2006-03-23 14:42:28.000000000 +0100 -@@ -8,6 +8,10 @@ - PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG - PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner physdev standard tcp udp HL LOG NFQUEUE MARK TRACE - -+ -+# ipp2p -+PF_EXT_SLIB += ipp2p -+ - # Optionals - PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) - PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) -diff -urN iptables.old/extensions/libipt_ipp2p.c iptables.dev/extensions/libipt_ipp2p.c ---- iptables.old/extensions/libipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/libipt_ipp2p.c 2006-03-23 14:43:26.000000000 +0100 -@@ -0,0 +1,401 @@ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+#include -+ -+static void -+help(void) -+{ -+ printf( -+ "IPP2P v%s options:\n" -+ " --ipp2p Grab all known p2p packets\n" -+ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n" -+ " --dc [TCP] All known Direct Connect packets\n" -+ " --kazaa [TCP&UDP] All known KaZaA packets\n" -+ " --gnu [TCP&UDP] All known Gnutella packets\n" -+ " --bit [TCP&UDP] All known BitTorrent packets\n" -+ " --apple [TCP] All known AppleJuice packets\n" -+ " --winmx [TCP] All known WinMX\n" -+ " --soul [TCP] All known SoulSeek\n" -+ " --ares [TCP] All known Ares\n\n" -+ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n" -+ " --mute [TCP] All known Mute packets\n" -+ " --waste [TCP] All known Waste packets\n" -+ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n" -+ " DEBUG SUPPPORT, use only if you know why\n" -+ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n" -+ "\nNote that the follwing options will have the same meaning:\n" -+ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n" -+ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" -+ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" -+ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" -+ "\nExamples:\n" -+ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" -+ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" -+ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" -+ , IPP2P_VERSION); -+} -+ -+static struct option opts[] = { -+ { "ipp2p", 0, 0, '1' }, -+ { "edk", 0, 0, '2' }, -+ { "dc", 0, 0, '7' }, -+ { "gnu", 0, 0, '9' }, -+ { "kazaa", 0, 0, 'a' }, -+ { "bit", 0, 0, 'b' }, -+ { "apple", 0, 0, 'c' }, -+ { "soul", 0, 0, 'd' }, -+ { "winmx", 0, 0, 'e' }, -+ { "ares", 0, 0, 'f' }, -+ { "mute", 0, 0, 'g' }, -+ { "waste", 0, 0, 'h' }, -+ { "xdcc", 0, 0, 'i' }, -+ { "debug", 0, 0, 'j' }, -+ {0} -+}; -+ -+ -+ -+static void -+init(struct ipt_entry_match *m, unsigned int *nfcache) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; -+ -+ *nfcache |= NFC_UNKNOWN; -+ -+ /*init the module with default values*/ -+ info->cmd = 0; -+ info->debug = 0; -+ -+} -+ -+ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, -+ unsigned int *nfcache, -+ struct ipt_entry_match **match) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; -+ -+ switch (c) { -+ case '1': /*cmd: ipp2p*/ -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified once!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags) != 0) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += SHORT_HAND_IPP2P; -+ info->cmd = *flags; -+ break; -+ -+ case '2': /*cmd: edk*/ -+ if ((*flags & IPP2P_EDK) == IPP2P_EDK) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--edk' may only be " -+ "specified once"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_EDK; -+ info->cmd = *flags; -+ break; -+ -+ -+ case '7': /*cmd: dc*/ -+ if ((*flags & IPP2P_DC) == IPP2P_DC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--dc' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_DC; -+ info->cmd = *flags; -+ break; -+ -+ -+ case '9': /*cmd: gnu*/ -+ if ((*flags & IPP2P_GNU) == IPP2P_GNU) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--gnu' may only be " -+ "specified once!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_GNU; -+ info->cmd = *flags; -+ break; -+ -+ case 'a': /*cmd: kazaa*/ -+ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--kazaa' may only be " -+ "specified once!"); -+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!");*/ -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_KAZAA; -+ info->cmd = *flags; -+ break; -+ -+ case 'b': /*cmd: bit*/ -+ if ((*flags & IPP2P_BIT) == IPP2P_BIT) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--bit' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_BIT; -+ info->cmd = *flags; -+ break; -+ -+ case 'c': /*cmd: apple*/ -+ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--apple' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_APPLE; -+ info->cmd = *flags; -+ break; -+ -+ -+ case 'd': /*cmd: soul*/ -+ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--soul' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_SOUL; -+ info->cmd = *flags; -+ break; -+ -+ -+ case 'e': /*cmd: winmx*/ -+ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--winmx' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_WINMX; -+ info->cmd = *flags; -+ break; -+ -+ case 'f': /*cmd: ares*/ -+ if ((*flags & IPP2P_ARES) == IPP2P_ARES) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ares' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_ARES; -+ info->cmd = *flags; -+ break; -+ -+ case 'g': /*cmd: mute*/ -+ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--mute' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_MUTE; -+ info->cmd = *flags; -+ break; -+ case 'h': /*cmd: waste*/ -+ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--waste' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_WASTE; -+ info->cmd = *flags; -+ break; -+ case 'i': /*cmd: xdcc*/ -+ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ares' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_XDCC; -+ info->cmd = *flags; -+ break; -+ -+ case 'j': /*cmd: debug*/ -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ info->debug = 1; -+ break; -+ -+ default: -+// exit_error(PARAMETER_PROBLEM, -+// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+ -+static void -+final_check(unsigned int flags) -+{ -+ if (!flags) -+ exit_error(PARAMETER_PROBLEM, -+ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); -+} -+ -+ -+ -+static void -+print(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match, -+ int numeric) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; -+ -+ printf("ipp2p v%s", IPP2P_VERSION); -+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p"); -+// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data"); -+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa"); -+// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data"); -+// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data"); -+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu"); -+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk"); -+// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data"); -+// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data"); -+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc"); -+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit"); -+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple"); -+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul"); -+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx"); -+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares"); -+ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); -+ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); -+ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); -+ if (info->debug != 0) printf(" --debug"); -+ printf(" "); -+} -+ -+ -+ -+static void -+save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; -+ -+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p "); -+// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data "); -+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa "); -+// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data "); -+// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data "); -+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu "); -+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk "); -+// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data "); -+// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data "); -+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc "); -+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit "); -+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple "); -+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul "); -+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx "); -+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares "); -+ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); -+ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); -+ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); -+ if (info->debug != 0) printf("--debug "); -+} -+ -+ -+ -+ -+static -+struct iptables_match ipp2p= -+{ -+ .next = NULL, -+ .name = "ipp2p", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+ -+ -+void _init(void) -+{ -+ register_match(&ipp2p); -+} -+ -diff -urN iptables.old/include/linux/netfilter_ipv4/ipt_ipp2p.h iptables.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h ---- iptables.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h 2006-03-23 14:44:26.000000000 +0100 -@@ -0,0 +1,31 @@ -+#ifndef __IPT_IPP2P_H -+#define __IPT_IPP2P_H -+#define IPP2P_VERSION "0.8.1_rc1" -+ -+struct ipt_p2p_info { -+ int cmd; -+ int debug; -+}; -+ -+#endif //__IPT_IPP2P_H -+ -+#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ -+//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ -+#define SHORT_HAND_NONE 5 /* no short hand*/ -+ -+#define IPP2P_EDK (1 << 1) -+#define IPP2P_DATA_KAZAA (1 << 2) -+#define IPP2P_DATA_EDK (1 << 3) -+#define IPP2P_DATA_DC (1 << 4) -+#define IPP2P_DC (1 << 5) -+#define IPP2P_DATA_GNU (1 << 6) -+#define IPP2P_GNU (1 << 7) -+#define IPP2P_KAZAA (1 << 8) -+#define IPP2P_BIT (1 << 9) -+#define IPP2P_APPLE (1 << 10) -+#define IPP2P_SOUL (1 << 11) -+#define IPP2P_WINMX (1 << 12) -+#define IPP2P_ARES (1 << 13) -+#define IPP2P_MUTE (1 << 14) -+#define IPP2P_WASTE (1 << 15) -+#define IPP2P_XDCC (1 << 16) diff --git a/package/iptables/patches/02-layer7-1.5nbd.patch b/package/iptables/patches/02-layer7-1.5nbd.patch deleted file mode 100644 index 95c62a860..000000000 --- a/package/iptables/patches/02-layer7-1.5nbd.patch +++ /dev/null @@ -1,416 +0,0 @@ -diff -urN iptables.old/extensions/.layer7-test iptables.dev/extensions/.layer7-test ---- iptables.old/extensions/.layer7-test 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/.layer7-test 2005-11-10 16:57:51.819381000 +0100 -@@ -0,0 +1,2 @@ -+#! /bin/sh -+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7 -diff -urN iptables.old/extensions/ipt_layer7.h iptables.dev/extensions/ipt_layer7.h ---- iptables.old/extensions/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/ipt_layer7.h 2005-11-10 17:46:32.933599750 +0100 -@@ -0,0 +1,27 @@ -+/* -+ By Matthew Strait , Dec 2003. -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+*/ -+ -+#ifndef _IPT_LAYER7_H -+#define _IPT_LAYER7_H -+ -+#define MAX_PATTERN_LEN 8192 -+#define MAX_PROTOCOL_LEN 256 -+ -+typedef char *(*proc_ipt_search) (char *, char, char *); -+ -+struct ipt_layer7_info { -+ char protocol[MAX_PROTOCOL_LEN]; -+ char invert:1; -+ char pattern[MAX_PATTERN_LEN]; -+ char pkt; -+}; -+ -+#endif /* _IPT_LAYER7_H */ -diff -urN iptables.old/extensions/libipt_layer7.c iptables.dev/extensions/libipt_layer7.c ---- iptables.old/extensions/libipt_layer7.c 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/libipt_layer7.c 2005-11-10 17:47:01.399378750 +0100 -@@ -0,0 +1,358 @@ -+/* -+ Shared library add-on to iptables to add layer 7 matching support. -+ -+ By Matthew Strait , Oct 2003. -+ -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+ -+ Based on libipt_string.c (C) 2000 Emmanuel Roger -+*/ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include "ipt_layer7.h" -+ -+#define MAX_FN_LEN 256 -+ -+static char l7dir[MAX_FN_LEN] = "\0"; -+ -+/* Function which prints out usage message. */ -+static void help(void) -+{ -+ printf( -+ "LAYER7 match v%s options:\n" -+ "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" -+ " (--l7dir must be specified before --l7proto if used!)\n" -+ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n" -+ "--l7pkt : Skip connection tracking and match individual packets\n", -+ IPTABLES_VERSION); -+ fputc('\n', stdout); -+} -+ -+static struct option opts[] = { -+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, -+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, -+ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' }, -+ { .name = 0 } -+}; -+ -+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ -+int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info) -+{ -+ FILE * f; -+ char * line = NULL; -+ size_t len = 0; -+ -+ enum { protocol, pattern, done } datatype = protocol; -+ -+ f = fopen(filename, "r"); -+ -+ if(!f) -+ return 0; -+ -+ while(getline(&line, &len, f) != -1) -+ { -+ if(strlen(line) < 2 || line[0] == '#') -+ continue; -+ -+ /* strip the pesky newline... */ -+ if(line[strlen(line) - 1] == '\n') -+ line[strlen(line) - 1] = '\0'; -+ -+ if(datatype == protocol) -+ { -+ if(strcmp(line, protoname)) -+ exit_error(OTHER_PROBLEM, -+ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", -+ protoname, filename); -+ -+ if(strlen(line) >= MAX_PROTOCOL_LEN) -+ exit_error(PARAMETER_PROBLEM, -+ "Protocol name in %s too long!", filename); -+ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); -+ -+ datatype = pattern; -+ } -+ else if(datatype == pattern) -+ { -+ if(strlen(line) >= MAX_PATTERN_LEN) -+ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); -+ strncpy(info->pattern, line, MAX_PATTERN_LEN); -+ -+ datatype = done; -+ break; -+ } -+ else -+ exit_error(OTHER_PROBLEM, "Internal error"); -+ } -+ -+ if(datatype != done) -+ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); -+ -+ if(line) free(line); -+ fclose(f); -+ -+ return 1; -+ -+/* -+ fprintf(stderr, "protocol: %s\npattern: %s\n\n", -+ info->protocol, -+ info->pattern); -+*/ -+} -+ -+static int hex2dec(char c) -+{ -+ switch (c) -+ { -+ case '0' ... '9': -+ return c - '0'; -+ case 'a' ... 'f': -+ return c - 'a' + 10; -+ case 'A' ... 'F': -+ return c - 'A' + 10; -+ default: -+ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); -+ return 0; -+ } -+} -+ -+/* takes a string with \xHH escapes and returns one with the characters -+they stand for */ -+static char * pre_process(char * s) -+{ -+ char * result = malloc(strlen(s) + 1); -+ int sindex = 0, rindex = 0; -+ while( sindex < strlen(s) ) -+ { -+ if( sindex + 3 < strlen(s) && -+ s[sindex] == '\\' && s[sindex+1] == 'x' && -+ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) -+ { -+ /* carefully remember to call tolower here... */ -+ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + -+ hex2dec(s[sindex + 3] ) ); -+ sindex += 3; /* 4 total */ -+ } -+ else -+ result[rindex] = tolower(s[sindex]); -+ -+ sindex++; -+ rindex++; -+ } -+ result[rindex] = '\0'; -+ -+ return result; -+} -+ -+#define MAX_SUBDIRS 128 -+char ** readl7dir(char * dirname) -+{ -+ DIR * scratchdir; -+ struct dirent ** namelist; -+ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); -+ -+ int n, d = 1; -+ subdirs[0] = ""; -+ -+ n = scandir(dirname, &namelist, 0, alphasort); -+ -+ if (n < 0) -+ { -+ perror("scandir"); -+ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); -+ } -+ else -+ { -+ while(n--) -+ { -+ char fulldirname[MAX_FN_LEN]; -+ -+ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); -+ -+ if((scratchdir = opendir(fulldirname)) != NULL) -+ { -+ closedir(scratchdir); -+ -+ if(!strcmp(namelist[n]->d_name, ".") || -+ !strcmp(namelist[n]->d_name, "..")) -+ /* do nothing */ ; -+ else -+ { -+ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); -+ strcpy(subdirs[d], namelist[n]->d_name); -+ d++; -+ if(d >= MAX_SUBDIRS - 1) -+ { -+ fprintf(stderr, -+ "Too many subdirectories, skipping the rest!\n"); -+ break; -+ } -+ } -+ } -+ free(namelist[n]); -+ } -+ free(namelist); -+ } -+ -+ subdirs[d] = NULL; -+ -+ return subdirs; -+} -+ -+static void -+parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info) -+{ -+ char filename[MAX_FN_LEN]; -+ char * dir = NULL; -+ char ** subdirs; -+ int n = 0, done = 0; -+ -+ if(strlen(l7dir) > 0) -+ dir = l7dir; -+ else -+ dir = "/etc/l7-protocols"; -+ -+ subdirs = readl7dir(dir); -+ -+ while(subdirs[n] != NULL) -+ { -+ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); -+ -+ //fprintf(stderr, "Trying to find pattern in %s ... ", filename); -+ -+ if(c > MAX_FN_LEN) -+ { -+ exit_error(OTHER_PROBLEM, -+ "Filename beginning with %s is too long!\n", filename); -+ } -+ -+ /* read in the pattern from the file */ -+ if(parse_protocol_file(filename, s, info)) -+ { -+ //fprintf(stderr, "found\n"); -+ done = 1; -+ break; -+ } -+ -+ //fprintf(stderr, "not found\n"); -+ -+ n++; -+ } -+ -+ if(!done) -+ exit_error(OTHER_PROBLEM, -+ "Couldn't find a pattern definition file for %s.\n", s); -+ -+ /* process \xHH escapes and tolower everything. (our regex lib has no -+ case insensitivity option.) */ -+ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); -+} -+ -+/* Function which parses command options; returns true if it ate an option */ -+static int parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, unsigned int *nfcache, -+ struct ipt_entry_match **match) -+{ -+ struct ipt_layer7_info *layer7info = -+ (struct ipt_layer7_info *)(*match)->data; -+ -+ switch (c) { -+ case '1': -+ check_inverse(optarg, &invert, &optind, 0); -+ parse_layer7_protocol(argv[optind-1], layer7info); -+ if (invert) -+ layer7info->invert = 1; -+ *flags = 1; -+ break; -+ -+ case '2': -+ /* not going to use this, but maybe we need to strip a ! anyway (?) */ -+ check_inverse(optarg, &invert, &optind, 0); -+ -+ if(strlen(argv[optind-1]) >= MAX_FN_LEN) -+ exit_error(PARAMETER_PROBLEM, "directory name too long\n"); -+ -+ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); -+ -+ *flags = 1; -+ break; -+ case '3': -+ layer7info->pkt = 1; -+ break; -+ -+ default: -+ return 0; -+ } -+ -+ return 1; -+} -+ -+/* Final check; must have specified --pattern. */ -+static void final_check(unsigned int flags) -+{ -+ if (!flags) -+ exit_error(PARAMETER_PROBLEM, -+ "LAYER7 match: You must specify `--pattern'"); -+} -+ -+static void print_protocol(char s[], int invert, int numeric) -+{ -+ fputs("l7proto ", stdout); -+ if (invert) fputc('!', stdout); -+ printf("%s ", s); -+} -+ -+/* Prints out the matchinfo. */ -+static void print(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match, -+ int numeric) -+{ -+ printf("LAYER7 "); -+ -+ print_protocol(((struct ipt_layer7_info *)match->data)->protocol, -+ ((struct ipt_layer7_info *)match->data)->invert, numeric); -+ -+ if (((struct ipt_layer7_info *)match->data)->pkt) -+ printf("l7pkt "); -+} -+/* Saves the union ipt_matchinfo in parsable form to stdout. */ -+static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -+{ -+ const struct ipt_layer7_info *info = -+ (const struct ipt_layer7_info*) match->data; -+ -+ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol); -+} -+ -+static struct iptables_match layer7 = { -+ .name = "layer7", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)), -+ .help = &help, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+void _init(void) -+{ -+ register_match(&layer7); -+} -diff -urN iptables.old/extensions/libipt_layer7.man iptables.dev/extensions/libipt_layer7.man ---- iptables.old/extensions/libipt_layer7.man 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/libipt_layer7.man 2005-11-10 16:57:51.823381250 +0100 -@@ -0,0 +1,13 @@ -+This module matches packets based on the application layer data of -+their connections. It uses regular expression matching to compare -+the application layer data to regular expressions found it the layer7 -+configuration files. This is an experimental module which can be found at -+http://l7-filter.sf.net. It takes two options. -+.TP -+.BI "--l7proto " "\fIprotocol\fP" -+Match the specified protocol. The protocol name must match a file -+name in /etc/l7-protocols/ -+.TP -+.BI "--l7dir " "\fIdirectory\fP" -+Use \fIdirectory\fP instead of /etc/l7-protocols/ -+ diff --git a/package/iptables/patches/04-multiport_v1.patch b/package/iptables/patches/04-multiport_v1.patch deleted file mode 100644 index 90b5144c7..000000000 --- a/package/iptables/patches/04-multiport_v1.patch +++ /dev/null @@ -1,221 +0,0 @@ -diff -urN iptables.old/extensions/libipt_multiport.c iptables.dev/extensions/libipt_multiport.c ---- iptables.old/extensions/libipt_multiport.c 2005-02-19 20:19:17.000000000 +0100 -+++ iptables.dev/extensions/libipt_multiport.c 2006-02-04 05:46:12.154127750 +0100 -@@ -8,24 +8,6 @@ - /* To ensure that iptables compiles with an old kernel */ - #include "../include/linux/netfilter_ipv4/ipt_multiport.h" - --/* Function which prints out usage message. */ --static void --help(void) --{ -- printf( --"multiport v%s options:\n" --" --source-ports port[,port,port...]\n" --" --sports ...\n" --" match source port(s)\n" --" --destination-ports port[,port,port...]\n" --" --dports ...\n" --" match destination port(s)\n" --" --ports port[,port,port]\n" --" match both source and destination port(s)\n" --" NOTE: this kernel does not support port ranges in multiport.\n", --IPTABLES_VERSION); --} -- - static void - help_v1(void) - { -@@ -75,26 +57,6 @@ - "invalid port/service `%s' specified", port); - } - --static unsigned int --parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) --{ -- char *buffer, *cp, *next; -- unsigned int i; -- -- buffer = strdup(portstring); -- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed"); -- -- for (cp=buffer, i=0; cp && idata; -- -- switch (c) { -- case '1': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(entry); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = IPT_MULTIPORT_SOURCE; -- break; -- -- case '2': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(entry); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = IPT_MULTIPORT_DESTINATION; -- break; -- -- case '3': -- check_inverse(argv[optind-1], &invert, &optind, 0); -- proto = check_proto(entry); -- multiinfo->count = parse_multi_ports(argv[optind-1], -- multiinfo->ports, proto); -- multiinfo->flags = IPT_MULTIPORT_EITHER; -- break; -- -- default: -- return 0; -- } -- -- if (invert) -- exit_error(PARAMETER_PROBLEM, -- "multiport does not support invert"); -- -- if (*flags) -- exit_error(PARAMETER_PROBLEM, -- "multiport can only have one option"); -- *flags = 1; -- return 1; --} -- - static int - parse_v1(int c, char **argv, int invert, unsigned int *flags, - const struct ipt_entry *entry, -@@ -289,43 +199,6 @@ - printf("%s", service); - } - --/* Prints out the matchinfo. */ --static void --print(const struct ipt_ip *ip, -- const struct ipt_entry_match *match, -- int numeric) --{ -- const struct ipt_multiport *multiinfo -- = (const struct ipt_multiport *)match->data; -- unsigned int i; -- -- printf("multiport "); -- -- switch (multiinfo->flags) { -- case IPT_MULTIPORT_SOURCE: -- printf("sports "); -- break; -- -- case IPT_MULTIPORT_DESTINATION: -- printf("dports "); -- break; -- -- case IPT_MULTIPORT_EITHER: -- printf("ports "); -- break; -- -- default: -- printf("ERROR "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], ip->proto, numeric); -- } -- printf(" "); --} -- - static void - print_v1(const struct ipt_ip *ip, - const struct ipt_entry_match *match, -@@ -369,34 +242,6 @@ - printf(" "); - } - --/* Saves the union ipt_matchinfo in parsable form to stdout. */ --static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) --{ -- const struct ipt_multiport *multiinfo -- = (const struct ipt_multiport *)match->data; -- unsigned int i; -- -- switch (multiinfo->flags) { -- case IPT_MULTIPORT_SOURCE: -- printf("--sports "); -- break; -- -- case IPT_MULTIPORT_DESTINATION: -- printf("--dports "); -- break; -- -- case IPT_MULTIPORT_EITHER: -- printf("--ports "); -- break; -- } -- -- for (i=0; i < multiinfo->count; i++) { -- printf("%s", i ? "," : ""); -- print_port(multiinfo->ports[i], ip->proto, 1); -- } -- printf(" "); --} -- - static void save_v1(const struct ipt_ip *ip, - const struct ipt_entry_match *match) - { -@@ -432,19 +277,20 @@ - printf(" "); - } - -+ - static struct iptables_match multiport = { - .next = NULL, - .name = "multiport", -- .revision = 0, - .version = IPTABLES_VERSION, -- .size = IPT_ALIGN(sizeof(struct ipt_multiport)), -- .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport)), -- .help = &help, -+ .revision = 0, -+ .size = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport_v1)), -+ .help = &help_v1, - .init = &init, -- .parse = &parse, -+ .parse = &parse_v1, - .final_check = &final_check, -- .print = &print, -- .save = &save, -+ .print = &print_v1, -+ .save = &save_v1, - .extra_opts = opts - }; - diff --git a/package/iptables/patches/05-imq1.patch b/package/iptables/patches/05-imq1.patch deleted file mode 100644 index 459189030..000000000 --- a/package/iptables/patches/05-imq1.patch +++ /dev/null @@ -1,224 +0,0 @@ -diff -urN iptables.old/extensions/.IMQ-test iptables.dev/extensions/.IMQ-test ---- iptables.old/extensions/.IMQ-test 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/.IMQ-test 2005-10-09 01:00:36.358959750 +0200 -@@ -0,0 +1,3 @@ -+#!/bin/sh -+# True if IMQ target patch is applied. -+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IMQ.c ] && echo IMQ -diff -urN iptables.old/extensions/.IMQ-test6 iptables.dev/extensions/.IMQ-test6 ---- iptables.old/extensions/.IMQ-test6 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/.IMQ-test6 2005-10-09 01:00:36.358959750 +0200 -@@ -0,0 +1,3 @@ -+#!/bin/sh -+# True if IMQ target patch is applied. -+[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_IMQ.c ] && echo IMQ -diff -urN iptables.old/extensions/libip6t_IMQ.c iptables.dev/extensions/libip6t_IMQ.c ---- iptables.old/extensions/libip6t_IMQ.c 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/libip6t_IMQ.c 2005-10-09 01:00:36.358959750 +0200 -@@ -0,0 +1,101 @@ -+/* Shared library add-on to iptables to add IMQ target support. */ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+/* Function which prints out usage message. */ -+static void -+help(void) -+{ -+ printf( -+"IMQ target v%s options:\n" -+" --todev enqueue to imq, defaults to 0\n", -+IPTABLES_VERSION); -+} -+ -+static struct option opts[] = { -+ { "todev", 1, 0, '1' }, -+ { 0 } -+}; -+ -+/* Initialize the target. */ -+static void -+init(struct ip6t_entry_target *t, unsigned int *nfcache) -+{ -+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data; -+ -+ mr->todev = 0; -+ *nfcache |= NFC_UNKNOWN; -+} -+ -+/* Function which parses command options; returns true if it -+ ate an option */ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ip6t_entry *entry, -+ struct ip6t_entry_target **target) -+{ -+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data; -+ -+ switch(c) { -+ case '1': -+ if (check_inverse(optarg, &invert, NULL, 0)) -+ exit_error(PARAMETER_PROBLEM, -+ "Unexpected `!' after --todev"); -+ mr->todev=atoi(optarg); -+ break; -+ default: -+ return 0; -+ } -+ return 1; -+} -+ -+static void -+final_check(unsigned int flags) -+{ -+} -+ -+/* Prints out the targinfo. */ -+static void -+print(const struct ip6t_ip6 *ip, -+ const struct ip6t_entry_target *target, -+ int numeric) -+{ -+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; -+ -+ printf("IMQ: todev %u ", mr->todev); -+} -+ -+/* Saves the union ipt_targinfo in parsable form to stdout. */ -+static void -+save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) -+{ -+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; -+ -+ printf("--todev %u", mr->todev); -+} -+ -+static struct ip6tables_target imq = { -+ .next = NULL, -+ .name = "IMQ", -+ .version = IPTABLES_VERSION, -+ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), -+ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+void _init(void) -+{ -+ register_target6(&imq); -+} -diff -urN iptables.old/extensions/libipt_IMQ.c iptables.dev/extensions/libipt_IMQ.c ---- iptables.old/extensions/libipt_IMQ.c 1970-01-01 01:00:00.000000000 +0100 -+++ iptables.dev/extensions/libipt_IMQ.c 2005-10-09 01:00:36.358959750 +0200 -@@ -0,0 +1,101 @@ -+/* Shared library add-on to iptables to add IMQ target support. */ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+/* Function which prints out usage message. */ -+static void -+help(void) -+{ -+ printf( -+"IMQ target v%s options:\n" -+" --todev enqueue to imq, defaults to 0\n", -+IPTABLES_VERSION); -+} -+ -+static struct option opts[] = { -+ { "todev", 1, 0, '1' }, -+ { 0 } -+}; -+ -+/* Initialize the target. */ -+static void -+init(struct ipt_entry_target *t, unsigned int *nfcache) -+{ -+ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data; -+ -+ mr->todev = 0; -+ *nfcache |= NFC_UNKNOWN; -+} -+ -+/* Function which parses command options; returns true if it -+ ate an option */ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, -+ struct ipt_entry_target **target) -+{ -+ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data; -+ -+ switch(c) { -+ case '1': -+ if (check_inverse(optarg, &invert, NULL, 0)) -+ exit_error(PARAMETER_PROBLEM, -+ "Unexpected `!' after --todev"); -+ mr->todev=atoi(optarg); -+ break; -+ default: -+ return 0; -+ } -+ return 1; -+} -+ -+static void -+final_check(unsigned int flags) -+{ -+} -+ -+/* Prints out the targinfo. */ -+static void -+print(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target, -+ int numeric) -+{ -+ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; -+ -+ printf("IMQ: todev %u ", mr->todev); -+} -+ -+/* Saves the union ipt_targinfo in parsable form to stdout. */ -+static void -+save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -+{ -+ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; -+ -+ printf("--todev %u", mr->todev); -+} -+ -+static struct iptables_target imq = { -+ .next = NULL, -+ .name = "IMQ", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+void _init(void) -+{ -+ register_target(&imq); -+} diff --git a/package/iptables/patches/06-iprange-typesh.patch b/package/iptables/patches/06-iprange-typesh.patch deleted file mode 100644 index 2dc60d44b..000000000 --- a/package/iptables/patches/06-iprange-typesh.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- iptables-1.3.5/extensions/libipt_iprange.c.orig 2006-12-05 19:28:58.000000000 +0100 -+++ iptables-1.3.5/extensions/libipt_iprange.c 2006-12-05 19:30:28.000000000 +0100 -@@ -6,6 +6,7 @@ - #include - - #include -+#include - #include - - /* Function which prints out usage message. */ diff --git a/package/iptables/patches/07-ifname_warning.patch b/package/iptables/patches/07-ifname_warning.patch deleted file mode 100644 index d6ffe1384..000000000 --- a/package/iptables/patches/07-ifname_warning.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -ur iptables.old/ip6tables.c iptables.dev/ip6tables.c ---- iptables.old/ip6tables.c 2006-01-30 09:43:12.000000000 +0100 -+++ iptables.dev/ip6tables.c 2007-01-02 00:29:50.000000000 +0100 -@@ -857,8 +857,9 @@ - for (i = 0; vianame[i]; i++) { - if (!isalnum(vianame[i]) - && vianame[i] != '_' -+ && vianame[i] != '-' - && vianame[i] != '.') { -- printf("Warning: wierd character in interface" -+ printf("Warning: weird character in interface" - " `%s' (No aliases, :, ! or *).\n", - vianame); - break; -diff -ur iptables.old/iptables.c iptables.dev/iptables.c ---- iptables.old/iptables.c 2006-01-30 09:43:09.000000000 +0100 -+++ iptables.dev/iptables.c 2007-01-02 00:29:38.000000000 +0100 -@@ -805,8 +805,9 @@ - for (i = 0; vianame[i]; i++) { - if (!isalnum(vianame[i]) - && vianame[i] != '_' -+ && vianame[i] != '-' - && vianame[i] != '.') { -- printf("Warning: wierd character in interface" -+ printf("Warning: weird character in interface" - " `%s' (No aliases, :, ! or *).\n", - vianame); - break; diff --git a/package/iptables/patches/08-chaostables.patch b/package/iptables/patches/08-chaostables.patch deleted file mode 100644 index 7fc1aab45..000000000 --- a/package/iptables/patches/08-chaostables.patch +++ /dev/null @@ -1,336 +0,0 @@ -diff -ruN iptables-1.3.5.orig/extensions/.CHAOS-test iptables-1.3.5/extensions/.CHAOS-test ---- iptables-1.3.5.orig/extensions/.CHAOS-test 1970-01-01 01:00:00.000000000 +0100 -+++ iptables-1.3.5/extensions/.CHAOS-test 2007-01-09 16:05:23.251885840 +0100 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"; -diff -ruN iptables-1.3.5.orig/extensions/.DELUDE-test iptables-1.3.5/extensions/.DELUDE-test ---- iptables-1.3.5.orig/extensions/.DELUDE-test 1970-01-01 01:00:00.000000000 +0100 -+++ iptables-1.3.5/extensions/.DELUDE-test 2007-01-09 16:05:18.104057722 +0100 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+echo "DELUDE"; -diff -ruN iptables-1.3.5.orig/extensions/libipt_CHAOS.c iptables-1.3.5/extensions/libipt_CHAOS.c ---- iptables-1.3.5.orig/extensions/libipt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100 -+++ iptables-1.3.5/extensions/libipt_CHAOS.c 2007-01-09 16:05:23.251885840 +0100 -@@ -0,0 +1,111 @@ -+/* -+ CHAOS target for iptables -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ released under the terms of the GNU General Public -+ License version 2.x and only versions 2.x. -+*/ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+static void libipt_chaos_help(void) -+{ -+ printf( -+ "CHAOS target v%s options:\n" -+ " --delude Enable DELUDE processing for TCP\n" -+ " --tarpit Enable TARPIT processing for TCP\n", -+ IPTABLES_VERSION); -+ return; -+} -+ -+static int libipt_chaos_parse(int c, char **argv, int invert, -+ unsigned int *flags, const struct ipt_entry *entry, -+ struct ipt_entry_target **target) -+{ -+ struct xt_chaos_info *info = (void *)((*target)->data); -+ switch(c) { -+ case 'd': -+ info->variant = XTCHAOS_DELUDE; -+ *flags |= 0x02; -+ return 1; -+ case 't': -+ info->variant = XTCHAOS_TARPIT; -+ *flags |= 0x01; -+ return 1; -+ } -+ return 0; -+} -+ -+static void libipt_chaos_check(unsigned int flags) -+{ -+ if(flags != 0x03) -+ return; -+ /* If flags == 0x03, both were specified, which should not be. */ -+ exit_error(PARAMETER_PROBLEM, -+ "CHAOS: only one of --tarpit or --delude may be specified"); -+ return; -+} -+ -+static void libipt_chaos_print(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target, int numeric) -+{ -+ const struct xt_chaos_info *info = (const void *)target->data; -+ switch(info->variant) { -+ case XTCHAOS_DELUDE: -+ printf("DELUDE "); -+ break; -+ case XTCHAOS_TARPIT: -+ printf("TARPIT "); -+ break; -+ default: -+ break; -+ } -+ return; -+} -+ -+static void libipt_chaos_save(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target) -+{ -+ const struct xt_chaos_info *info = (const void *)target->data; -+ switch(info->variant) { -+ case XTCHAOS_DELUDE: -+ printf("--delude "); -+ break; -+ case XTCHAOS_TARPIT: -+ printf("--tarpit "); -+ break; -+ default: -+ break; -+ } -+ return; -+} -+ -+static struct option libipt_chaos_opts[] = { -+ {"delude", 0, NULL, 'd'}, -+ {"tarpit", 0, NULL, 't'}, -+ {NULL}, -+}; -+ -+static struct iptables_target libipt_chaos_info = { -+ .name = "CHAOS", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct xt_chaos_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)), -+ .help = libipt_chaos_help, -+ .parse = libipt_chaos_parse, -+ .final_check = libipt_chaos_check, -+ .print = libipt_chaos_print, -+ .save = libipt_chaos_save, -+ .extra_opts = libipt_chaos_opts, -+}; -+ -+static __attribute__((constructor)) void libipt_chaos_init(void) -+{ -+ register_target(&libipt_chaos_info); -+ return; -+} -diff -ruN iptables-1.3.5.orig/extensions/libipt_DELUDE.c iptables-1.3.5/extensions/libipt_DELUDE.c ---- iptables-1.3.5.orig/extensions/libipt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100 -+++ iptables-1.3.5/extensions/libipt_DELUDE.c 2007-01-09 16:05:18.104057722 +0100 -@@ -0,0 +1,66 @@ -+/* -+ DELUDE target for iptables -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ released under the terms of the GNU General Public -+ License version 2.x and only versions 2.x. -+*/ -+#include -+#include -+#include -+ -+#include -+#include -+ -+static void libipt_delude_help(void) -+{ -+ printf("DELUDE takes no options\n"); -+ return; -+} -+ -+static int libipt_delude_parse(int c, char **argv, int invert, -+ unsigned int *flags, const struct ipt_entry *entry, -+ struct ipt_entry_target **target) -+{ -+ return 0; -+} -+ -+static void libipt_delude_check(unsigned int flags) -+{ -+ return; -+} -+ -+static void libipt_delude_print(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target, int numeric) -+{ -+ return; -+} -+ -+static void libipt_delude_save(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target) -+{ -+ return; -+} -+ -+static struct option libipt_delude_opts[] = { -+ {NULL}, -+}; -+ -+static struct iptables_target libipt_delude_info = { -+ .name = "DELUDE", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(0), -+ .userspacesize = IPT_ALIGN(0), -+ .help = libipt_delude_help, -+ .parse = libipt_delude_parse, -+ .final_check = libipt_delude_check, -+ .print = libipt_delude_print, -+ .save = libipt_delude_save, -+ .extra_opts = libipt_delude_opts, -+}; -+ -+static __attribute__((constructor)) void libipt_delude_init(void) -+{ -+ register_target(&libipt_delude_info); -+ return; -+} -diff -ruN iptables-1.3.5.orig/extensions/libipt_portscan.c iptables-1.3.5/extensions/libipt_portscan.c ---- iptables-1.3.5.orig/extensions/libipt_portscan.c 1970-01-01 01:00:00.000000000 +0100 -+++ iptables-1.3.5/extensions/libipt_portscan.c 2007-01-09 16:05:14.228187134 +0100 -@@ -0,0 +1,129 @@ -+/* -+ portscan match for iptables -+ -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ released under the terms of the GNU General Public -+ License version 2.x and only versions 2.x. -+*/ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+static void libipt_portscan_help(void) -+{ -+ printf( -+ "portscan match v%s options:\n" -+ "(Combining them will make them match by OR-logic)\n" -+ " --stealth Match TCP Stealth packets\n" -+ " --synscan Match TCP SYN scans\n" -+ " --cnscan Match TCP Connect scans\n" -+ " --grscan Match Banner Grabbing scans\n", -+ IPTABLES_VERSION); -+ return; -+} -+ -+static void libipt_portscan_mtinit(struct ipt_entry_match *match, -+ unsigned int *nfcache) -+{ -+ /* Cannot cache this */ -+ *nfcache |= NFC_UNKNOWN; -+ return; -+} -+ -+static int libipt_portscan_parse(int c, char **argv, int invert, -+ unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc, -+ struct ipt_entry_match **match) -+{ -+ struct xt_portscan_info *info = (void *)((*match)->data); -+ -+ switch(c) { -+ case 'c': -+ info->match_cn = 1; -+ return 1; -+ case 'g': -+ info->match_gr = 1; -+ return 1; -+ case 's': -+ info->match_syn = 1; -+ return 1; -+ case 'x': -+ info->match_stealth = 1; -+ return 1; -+ default: -+ return 0; -+ } -+} -+ -+static void libipt_portscan_check(unsigned int flags) -+{ -+ return; -+} -+ -+static void libipt_portscan_print(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match, int numeric) -+{ -+ const struct xt_portscan_info *info = (const void *)(match->data); -+ const char *s = ""; -+ -+ printf("portscan "); -+ if(info->match_stealth) { -+ printf("STEALTH"); -+ s = ","; -+ } -+ if(info->match_syn) { -+ printf("%sSYNSCAN", s); -+ s = ","; -+ } -+ if(info->match_cn) { -+ printf("%sCNSCAN", s); -+ s = ","; -+ } -+ if(info->match_gr) -+ printf("%sGRSCAN", s); -+ printf(" "); -+ return; -+} -+ -+static void libipt_portscan_save(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match) -+{ -+ const struct xt_portscan_info *info = (const void *)(match->data); -+ if(info->match_stealth) printf("--stealth "); -+ if(info->match_syn) printf("--synscan "); -+ if(info->match_cn) printf("--cnscan "); -+ if(info->match_gr) printf("--grscan "); -+ return; -+} -+ -+static struct option libipt_portscan_opts[] = { -+ {"stealth", 0, NULL, 'x'}, -+ {"synscan", 0, NULL, 's'}, -+ {"cnscan", 0, NULL, 'c'}, -+ {"grscan", 0, NULL, 'g'}, -+ {NULL}, -+}; -+ -+static struct iptables_match libipt_portscan_info = { -+ .name = "portscan", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct xt_portscan_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)), -+ .help = libipt_portscan_help, -+ .init = libipt_portscan_mtinit, -+ .parse = libipt_portscan_parse, -+ .final_check = libipt_portscan_check, -+ .print = libipt_portscan_print, -+ .save = libipt_portscan_save, -+ .extra_opts = libipt_portscan_opts, -+}; -+ -+static __attribute__((constructor)) void libipt_portscan_init(void) -+{ -+ register_match(&libipt_portscan_info); -+ return; -+} -diff -ruN iptables-1.3.5.orig/extensions/.portscan-test iptables-1.3.5/extensions/.portscan-test ---- iptables-1.3.5.orig/extensions/.portscan-test 1970-01-01 01:00:00.000000000 +0100 -+++ iptables-1.3.5/extensions/.portscan-test 2007-01-09 16:05:14.228187134 +0100 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan"; -- cgit v1.2.3