$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TCPMSS, $(P_V4)ipt_tcpmss))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TCPMSS, $(P_XT)xt_tcpmss))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TIME, $(P_V4)ipt_time))
+$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TOS, $(P_V4)ipt_tos))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TTL, $(P_V4)ipt_ttl))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_UNCLEAN, $(P_V4)ipt_unclean))
IPT_BUILTIN := $(if $(NF_KMOD),,$(P_V4)ipt_standard)
IPT_BUILTIN += $(if $(NF_KMOD),,$(P_V4)ipt_icmp $(P_V4)ipt_tcp $(P_V4)ipt_udp)
+IPT_BUILTIN += $(if $(NF_KMOD),,$(P_XT)xt_standard)
+IPT_BUILTIN += $(if $(NF_KMOD),,$(P_XT)xt_icmp $(P_XT)xt_tcp $(P_XT)xt_udp)
+
IPT_BUILTIN += $(IPT_CONNTRACK-y)
IPT_BUILTIN += $(IPT_EXTRA-y)
IPT_BUILTIN += $(IPT_FILTER-y)
-#
-# Copyright (C) 2006 OpenWrt.org
+#
+# Copyright (C) 2006-2008 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables
-PKG_VERSION:=1.3.8
-PKG_RELEASE:=2
+
+ifeq ($(CONFIG_LINUX_2_4),y)
+ PKG_VERSION:=1.3.8
+ PKG_RELEASE:=3
+ PKG_MD5SUM:=0a9209f928002e5eee9cdff8fef4d4b3
+endif
+
+ifeq ($(CONFIG_LINUX_2_6),y)
+ PKG_VERSION:=1.4.0
+ PKG_RELEASE:=1
+ PKG_MD5SUM:=90cfa8a554a29b0b859a625e701af2a7
+endif
+
+PKG_VERSION?=<IPTABLES_VERSION>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
-PKG_MD5SUM:=0a9209f928002e5eee9cdff8fef4d4b3
+
+PATCH_DIR:=./patches/$(PKG_VERSION)
include $(INCLUDE_DIR)/package.mk
ifeq ($(DUMP),)
URL:=http://netfilter.org/
endef
+define Package/iptables/Module
+$(call Package/iptables/Default)
+ DEPENDS:=iptables $(1)
+endef
+
define Package/iptables
$(call Package/iptables/Default)
TITLE:=IPv4 firewall administration tool
endef
define Package/iptables-mod-conntrack
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-conntrack
+$(call Package/iptables/Module, +kmod-ipt-conntrack)
TITLE:=connection tracking modules
endef
endef
define Package/iptables-mod-filter
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-filter
+$(call Package/iptables/Module, +kmod-ipt-filter)
TITLE:=filter modules
endef
define Package/iptables-mod-filter/description
iptables extensions for packet content inspection.
- Includes:
+ Includes:
- libipt_ipp2p
- - libipt_layer7
+ - libipt_layer7
endef
define Package/iptables-mod-imq
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-imq
+$(call Package/iptables/Module, +kmod-ipt-imq)
TITLE:=IMQ support
endef
define Package/iptables-mod-imq/description
iptables extension for IMQ support.
- Includes:
+ Includes:
- libipt_IMQ
endef
define Package/iptables-mod-ipopt
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-ipopt
+$(call Package/iptables/Module, +kmod-ipt-ipopt)
TITLE:=IP/Packet option modules
endef
define Package/iptables-mod-ipopt/description
iptables extensions for matching/changing IP packet options.\\\
- Includes:
+ Includes:
- libipt_CLASSIFY
- libipt_dscp/DSCP
- libipt_ecn/ECN
- libipt_tcpmms
- libipt_tos/TOS
- libipt_ttl/TTL
- - libipt_unclean
+ - libipt_unclean
endef
define Package/iptables-mod-ipsec
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-ipsec
+$(call Package/iptables/Module, +kmod-ipt-ipsec)
TITLE:=IPSec extensions
endef
define Package/iptables-mod-ipsec/description
iptables extensions for matching ipsec traffic.
- Includes:
+ Includes:
- libipt_ah
- libipt_esp
- libipt_policy
endef
define Package/iptables-mod-nat
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-nat
+$(call Package/iptables/Module, +kmod-ipt-nat)
TITLE:=extra NAT targets
endef
define Package/iptables-mod-nat/description
iptables extensions for different NAT targets.
- Includes:
+ Includes:
- libipt_REDIRECT
endef
define Package/iptables-mod-ulog
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-ulog
+$(call Package/iptables/Module, +kmod-ipt-ulog)
TITLE:=user-space packet logging
endef
define Package/iptables-mod-ulog/description
iptables extensions for user-space packet logging.
- Includes:
+ Includes:
- libipt_ULOG
endef
define Package/iptables-mod-iprange
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-iprange
+$(call Package/iptables/Module, +kmod-ipt-iprange)
TITLE:=ip range module
endef
define Package/iptables-mod-iprange/description
iptables extensions for matching ip ranges.
- Includes:
+ Includes:
- libipt_iprange
endef
define Package/iptables-mod-extra
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-extra
+$(call Package/iptables/Module, +kmod-ipt-extra)
TITLE:=other extra iptables extensions
endef
define Package/iptables-mod-extra/description
other extra iptables extensions.
- Includes:
+ Includes:
- libipt_limit
- libipt_owner
- libipt_physdev
endef
define Package/iptables-mod-ipset
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-ipset
+$(call Package/iptables/Module, +kmod-ipt-ipset)
TITLE:=ipset iptables extension
endef
define Package/iptables-utils
-$(call Package/iptables/Default)
- DEPENDS:=iptables
+$(call Package/iptables/Module, )
TITLE:=iptables save and restore utilities
endef
define Package/ip6tables
$(call Package/iptables/Default)
- DEPENDS:=+kmod-ipv6
- CATEGORY:=Network
+ DEPENDS:=+kmod-ip6tables
+ CATEGORY:=IPv6
TITLE:=IPv6 firewall administration tool
+ MENU:=1
endef
define Package/ip6tables-utils
$(call Package/iptables/Default)
DEPENDS:=ip6tables
- CATEGORY:=Network
+ CATEGORY:=IPv6
TITLE:=ip6tables save and restore utilities
endef
define Build/Prepare
$(call Build/Prepare/Default)
- chmod a+x $(PKG_BUILD_DIR)/extensions/.*-test*
endef
define Build/Configure
+ chmod a+x $(PKG_BUILD_DIR)/extensions/.*-test*
rm -f $(PKG_BUILD_DIR)/.configured*
$(MAKE) -C $(PKG_BUILD_DIR) \
clean
COPT_FLAGS="$(TARGET_CFLAGS)" \
LDFLAGS="-rdynamic -static-libgcc" \
KERNEL_DIR="$(LINUX_DIR)" PREFIX=/usr \
+ KBUILD_OUTPUT="$(LINUX_DIR)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
all experimental install install-experimental
endef
$(TARGET_CONFIGURE_OPTS) \
COPT_FLAGS="$(TARGET_CFLAGS)" \
KERNEL_DIR="$(LINUX_DIR)" PREFIX=/usr \
+ KBUILD_OUTPUT="$(LINUX_DIR)" \
DESTDIR="$(1)" \
install-devel
$(CP) $(PKG_BUILD_DIR)/include $(1)/usr
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/iptables
(cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
- $(CP) $(patsubst %,lib%.so,$(IPT_BUILTIN:xt_%=ipt_%)) $(1)/usr/lib/iptables/ \
+ for m in $(patsubst xt_%,ipt_%,$(IPT_BUILTIN)) $(patsubst ipt_%,xt_%,$(IPT_BUILTIN)); do \
+ if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$${m}.so ]; then \
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$${m}.so $(1)/usr/lib/iptables/ ;\
+ fi; \
+ done \
)
endef
define BuildPlugin
define Package/$(1)/install
$(INSTALL_DIR) $$(1)/usr/lib/iptables
- for m in $$(patsubst xt_%,ipt_%,$(2)); do \
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+ for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \
+ if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+ fi; \
done
$(3)
endef
+++ /dev/null
-Index: iptables-1.3.8/extensions/Makefile
-===================================================================
---- iptables-1.3.8.orig/extensions/Makefile 2007-07-31 15:27:55.000000000 -0500
-+++ iptables-1.3.8/extensions/Makefile 2007-07-31 15:27:55.000000000 -0500
-@@ -13,6 +13,10 @@
- PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK
- endif
-
-+
-+# ipp2p
-+PF_EXT_SLIB += ipp2p
-+
- # Optionals
- PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
- PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
-Index: iptables-1.3.8/extensions/libipt_ipp2p.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_ipp2p.c 2007-07-31 15:27:55.000000000 -0500
-@@ -0,0 +1,401 @@
-+
-+#include <stdio.h>
-+#include <netdb.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+#include <ctype.h>
-+
-+#include <iptables.h>
-+
-+#include <linux/netfilter_ipv4/ipt_ipp2p.h>
-+
-+static void
-+help(void)
-+{
-+ printf(
-+ "IPP2P v%s options:\n"
-+ " --ipp2p Grab all known p2p packets\n"
-+ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n"
-+ " --dc [TCP] All known Direct Connect packets\n"
-+ " --kazaa [TCP&UDP] All known KaZaA packets\n"
-+ " --gnu [TCP&UDP] All known Gnutella packets\n"
-+ " --bit [TCP&UDP] All known BitTorrent packets\n"
-+ " --apple [TCP] All known AppleJuice packets\n"
-+ " --winmx [TCP] All known WinMX\n"
-+ " --soul [TCP] All known SoulSeek\n"
-+ " --ares [TCP] All known Ares\n\n"
-+ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
-+ " --mute [TCP] All known Mute packets\n"
-+ " --waste [TCP] All known Waste packets\n"
-+ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n"
-+ " DEBUG SUPPPORT, use only if you know why\n"
-+ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
-+ "\nNote that the follwing options will have the same meaning:\n"
-+ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n"
-+ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
-+ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
-+ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
-+ "\nExamples:\n"
-+ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
-+ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
-+ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
-+ , IPP2P_VERSION);
-+}
-+
-+static struct option opts[] = {
-+ { "ipp2p", 0, 0, '1' },
-+ { "edk", 0, 0, '2' },
-+ { "dc", 0, 0, '7' },
-+ { "gnu", 0, 0, '9' },
-+ { "kazaa", 0, 0, 'a' },
-+ { "bit", 0, 0, 'b' },
-+ { "apple", 0, 0, 'c' },
-+ { "soul", 0, 0, 'd' },
-+ { "winmx", 0, 0, 'e' },
-+ { "ares", 0, 0, 'f' },
-+ { "mute", 0, 0, 'g' },
-+ { "waste", 0, 0, 'h' },
-+ { "xdcc", 0, 0, 'i' },
-+ { "debug", 0, 0, 'j' },
-+ {0}
-+};
-+
-+
-+
-+static void
-+init(struct ipt_entry_match *m, unsigned int *nfcache)
-+{
-+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data;
-+
-+ *nfcache |= NFC_UNKNOWN;
-+
-+ /*init the module with default values*/
-+ info->cmd = 0;
-+ info->debug = 0;
-+
-+}
-+
-+
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const struct ipt_entry *entry,
-+ unsigned int *nfcache,
-+ struct ipt_entry_match **match)
-+{
-+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data;
-+
-+ switch (c) {
-+ case '1': /*cmd: ipp2p*/
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified once!");
-+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p-data' may only be "
-+ "specified alone!");*/
-+ if ((*flags) != 0)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += SHORT_HAND_IPP2P;
-+ info->cmd = *flags;
-+ break;
-+
-+ case '2': /*cmd: edk*/
-+ if ((*flags & IPP2P_EDK) == IPP2P_EDK)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--edk' may only be "
-+ "specified once");
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p-data' may only be "
-+ "specified alone!");*/
-+ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: use `--edk' OR `--edk-data' but not both of them!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_EDK;
-+ info->cmd = *flags;
-+ break;
-+
-+
-+ case '7': /*cmd: dc*/
-+ if ((*flags & IPP2P_DC) == IPP2P_DC)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--dc' may only be "
-+ "specified once!");
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p-data' may only be "
-+ "specified alone!");*/
-+ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: use `--dc' OR `--dc-data' but not both of them!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_DC;
-+ info->cmd = *flags;
-+ break;
-+
-+
-+ case '9': /*cmd: gnu*/
-+ if ((*flags & IPP2P_GNU) == IPP2P_GNU)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--gnu' may only be "
-+ "specified once!");
-+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p-data' may only be "
-+ "specified alone!");*/
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_GNU;
-+ info->cmd = *flags;
-+ break;
-+
-+ case 'a': /*cmd: kazaa*/
-+ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--kazaa' may only be "
-+ "specified once!");
-+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p-data' may only be "
-+ "specified alone!");*/
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_KAZAA;
-+ info->cmd = *flags;
-+ break;
-+
-+ case 'b': /*cmd: bit*/
-+ if ((*flags & IPP2P_BIT) == IPP2P_BIT)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--bit' may only be "
-+ "specified once!");
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_BIT;
-+ info->cmd = *flags;
-+ break;
-+
-+ case 'c': /*cmd: apple*/
-+ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--apple' may only be "
-+ "specified once!");
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_APPLE;
-+ info->cmd = *flags;
-+ break;
-+
-+
-+ case 'd': /*cmd: soul*/
-+ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--soul' may only be "
-+ "specified once!");
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_SOUL;
-+ info->cmd = *flags;
-+ break;
-+
-+
-+ case 'e': /*cmd: winmx*/
-+ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--winmx' may only be "
-+ "specified once!");
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_WINMX;
-+ info->cmd = *flags;
-+ break;
-+
-+ case 'f': /*cmd: ares*/
-+ if ((*flags & IPP2P_ARES) == IPP2P_ARES)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ares' may only be "
-+ "specified once!");
-+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ipp2p' may only be "
-+ "specified alone!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_ARES;
-+ info->cmd = *flags;
-+ break;
-+
-+ case 'g': /*cmd: mute*/
-+ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--mute' may only be "
-+ "specified once!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_MUTE;
-+ info->cmd = *flags;
-+ break;
-+ case 'h': /*cmd: waste*/
-+ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--waste' may only be "
-+ "specified once!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_WASTE;
-+ info->cmd = *flags;
-+ break;
-+ case 'i': /*cmd: xdcc*/
-+ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC)
-+ exit_error(PARAMETER_PROBLEM,
-+ "ipp2p: `--ares' may only be "
-+ "specified once!");
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ *flags += IPP2P_XDCC;
-+ info->cmd = *flags;
-+ break;
-+
-+ case 'j': /*cmd: debug*/
-+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
-+ info->debug = 1;
-+ break;
-+
-+ default:
-+// exit_error(PARAMETER_PROBLEM,
-+// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+
-+static void
-+final_check(unsigned int flags)
-+{
-+ if (!flags)
-+ exit_error(PARAMETER_PROBLEM,
-+ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
-+}
-+
-+
-+
-+static void
-+print(const struct ipt_ip *ip,
-+ const struct ipt_entry_match *match,
-+ int numeric)
-+{
-+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
-+
-+ printf("ipp2p v%s", IPP2P_VERSION);
-+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p");
-+// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data");
-+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa");
-+// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data");
-+// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data");
-+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu");
-+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk");
-+// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data");
-+// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data");
-+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc");
-+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit");
-+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple");
-+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul");
-+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx");
-+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares");
-+ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
-+ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
-+ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
-+ if (info->debug != 0) printf(" --debug");
-+ printf(" ");
-+}
-+
-+
-+
-+static void
-+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-+{
-+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
-+
-+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p ");
-+// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data ");
-+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa ");
-+// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data ");
-+// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data ");
-+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu ");
-+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk ");
-+// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data ");
-+// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data ");
-+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc ");
-+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit ");
-+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple ");
-+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul ");
-+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx ");
-+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares ");
-+ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
-+ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
-+ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
-+ if (info->debug != 0) printf("--debug ");
-+}
-+
-+
-+
-+
-+static
-+struct iptables_match ipp2p=
-+{
-+ .next = NULL,
-+ .name = "ipp2p",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
-+ .help = &help,
-+ .init = &init,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+
-+
-+void _init(void)
-+{
-+ register_match(&ipp2p);
-+}
-+
-Index: iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-07-31 15:27:55.000000000 -0500
-@@ -0,0 +1,31 @@
-+#ifndef __IPT_IPP2P_H
-+#define __IPT_IPP2P_H
-+#define IPP2P_VERSION "0.8.1_rc1"
-+
-+struct ipt_p2p_info {
-+ int cmd;
-+ int debug;
-+};
-+
-+#endif //__IPT_IPP2P_H
-+
-+#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/
-+//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/
-+#define SHORT_HAND_NONE 5 /* no short hand*/
-+
-+#define IPP2P_EDK (1 << 1)
-+#define IPP2P_DATA_KAZAA (1 << 2)
-+#define IPP2P_DATA_EDK (1 << 3)
-+#define IPP2P_DATA_DC (1 << 4)
-+#define IPP2P_DC (1 << 5)
-+#define IPP2P_DATA_GNU (1 << 6)
-+#define IPP2P_GNU (1 << 7)
-+#define IPP2P_KAZAA (1 << 8)
-+#define IPP2P_BIT (1 << 9)
-+#define IPP2P_APPLE (1 << 10)
-+#define IPP2P_SOUL (1 << 11)
-+#define IPP2P_WINMX (1 << 12)
-+#define IPP2P_ARES (1 << 13)
-+#define IPP2P_MUTE (1 << 14)
-+#define IPP2P_WASTE (1 << 15)
-+#define IPP2P_XDCC (1 << 16)
+++ /dev/null
-Index: iptables-1.3.8/extensions/.layer7-test
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.layer7-test 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,3 @@
-+#! /bin/sh
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7
-+[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7
-Index: iptables-1.3.8/extensions/ipt_layer7.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/ipt_layer7.h 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,27 @@
-+/*
-+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#ifndef _IPT_LAYER7_H
-+#define _IPT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
-+
-+typedef char *(*proc_ipt_search) (char *, char, char *);
-+
-+struct ipt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
-+ char pattern[MAX_PATTERN_LEN];
-+ char pkt;
-+};
-+
-+#endif /* _IPT_LAYER7_H */
-Index: iptables-1.3.8/extensions/libipt_layer7.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_layer7.c 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,358 @@
-+/*
-+ Shared library add-on to iptables to add layer 7 matching support.
-+
-+ By Matthew Strait <quadong@users.sf.net>, Oct 2003.
-+
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+
-+ Based on libipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
-+*/
-+
-+#define _GNU_SOURCE
-+#include <stdio.h>
-+#include <netdb.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+#include <ctype.h>
-+#include <dirent.h>
-+
-+#include <iptables.h>
-+#include "ipt_layer7.h"
-+
-+#define MAX_FN_LEN 256
-+
-+static char l7dir[MAX_FN_LEN] = "\0";
-+
-+/* Function which prints out usage message. */
-+static void help(void)
-+{
-+ printf(
-+ "LAYER7 match v%s options:\n"
-+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
-+ " (--l7dir must be specified before --l7proto if used!)\n"
-+ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n"
-+ "--l7pkt : Skip connection tracking and match individual packets\n",
-+ IPTABLES_VERSION);
-+ fputc('\n', stdout);
-+}
-+
-+static struct option opts[] = {
-+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
-+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
-+ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' },
-+ { .name = 0 }
-+};
-+
-+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
-+int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info)
-+{
-+ FILE * f;
-+ char * line = NULL;
-+ size_t len = 0;
-+
-+ enum { protocol, pattern, done } datatype = protocol;
-+
-+ f = fopen(filename, "r");
-+
-+ if(!f)
-+ return 0;
-+
-+ while(getline(&line, &len, f) != -1)
-+ {
-+ if(strlen(line) < 2 || line[0] == '#')
-+ continue;
-+
-+ /* strip the pesky newline... */
-+ if(line[strlen(line) - 1] == '\n')
-+ line[strlen(line) - 1] = '\0';
-+
-+ if(datatype == protocol)
-+ {
-+ if(strcmp(line, protoname))
-+ exit_error(OTHER_PROBLEM,
-+ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
-+ protoname, filename);
-+
-+ if(strlen(line) >= MAX_PROTOCOL_LEN)
-+ exit_error(PARAMETER_PROBLEM,
-+ "Protocol name in %s too long!", filename);
-+ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
-+
-+ datatype = pattern;
-+ }
-+ else if(datatype == pattern)
-+ {
-+ if(strlen(line) >= MAX_PATTERN_LEN)
-+ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
-+ strncpy(info->pattern, line, MAX_PATTERN_LEN);
-+
-+ datatype = done;
-+ break;
-+ }
-+ else
-+ exit_error(OTHER_PROBLEM, "Internal error");
-+ }
-+
-+ if(datatype != done)
-+ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
-+
-+ if(line) free(line);
-+ fclose(f);
-+
-+ return 1;
-+
-+/*
-+ fprintf(stderr, "protocol: %s\npattern: %s\n\n",
-+ info->protocol,
-+ info->pattern);
-+*/
-+}
-+
-+static int hex2dec(char c)
-+{
-+ switch (c)
-+ {
-+ case '0' ... '9':
-+ return c - '0';
-+ case 'a' ... 'f':
-+ return c - 'a' + 10;
-+ case 'A' ... 'F':
-+ return c - 'A' + 10;
-+ default:
-+ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
-+ return 0;
-+ }
-+}
-+
-+/* takes a string with \xHH escapes and returns one with the characters
-+they stand for */
-+static char * pre_process(char * s)
-+{
-+ char * result = malloc(strlen(s) + 1);
-+ int sindex = 0, rindex = 0;
-+ while( sindex < strlen(s) )
-+ {
-+ if( sindex + 3 < strlen(s) &&
-+ s[sindex] == '\\' && s[sindex+1] == 'x' &&
-+ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
-+ {
-+ /* carefully remember to call tolower here... */
-+ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
-+ hex2dec(s[sindex + 3] ) );
-+ sindex += 3; /* 4 total */
-+ }
-+ else
-+ result[rindex] = tolower(s[sindex]);
-+
-+ sindex++;
-+ rindex++;
-+ }
-+ result[rindex] = '\0';
-+
-+ return result;
-+}
-+
-+#define MAX_SUBDIRS 128
-+char ** readl7dir(char * dirname)
-+{
-+ DIR * scratchdir;
-+ struct dirent ** namelist;
-+ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
-+
-+ int n, d = 1;
-+ subdirs[0] = "";
-+
-+ n = scandir(dirname, &namelist, 0, alphasort);
-+
-+ if (n < 0)
-+ {
-+ perror("scandir");
-+ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
-+ }
-+ else
-+ {
-+ while(n--)
-+ {
-+ char fulldirname[MAX_FN_LEN];
-+
-+ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
-+
-+ if((scratchdir = opendir(fulldirname)) != NULL)
-+ {
-+ closedir(scratchdir);
-+
-+ if(!strcmp(namelist[n]->d_name, ".") ||
-+ !strcmp(namelist[n]->d_name, ".."))
-+ /* do nothing */ ;
-+ else
-+ {
-+ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
-+ strcpy(subdirs[d], namelist[n]->d_name);
-+ d++;
-+ if(d >= MAX_SUBDIRS - 1)
-+ {
-+ fprintf(stderr,
-+ "Too many subdirectories, skipping the rest!\n");
-+ break;
-+ }
-+ }
-+ }
-+ free(namelist[n]);
-+ }
-+ free(namelist);
-+ }
-+
-+ subdirs[d] = NULL;
-+
-+ return subdirs;
-+}
-+
-+static void
-+parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info)
-+{
-+ char filename[MAX_FN_LEN];
-+ char * dir = NULL;
-+ char ** subdirs;
-+ int n = 0, done = 0;
-+
-+ if(strlen(l7dir) > 0)
-+ dir = l7dir;
-+ else
-+ dir = "/etc/l7-protocols";
-+
-+ subdirs = readl7dir(dir);
-+
-+ while(subdirs[n] != NULL)
-+ {
-+ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
-+
-+ //fprintf(stderr, "Trying to find pattern in %s ... ", filename);
-+
-+ if(c > MAX_FN_LEN)
-+ {
-+ exit_error(OTHER_PROBLEM,
-+ "Filename beginning with %s is too long!\n", filename);
-+ }
-+
-+ /* read in the pattern from the file */
-+ if(parse_protocol_file(filename, s, info))
-+ {
-+ //fprintf(stderr, "found\n");
-+ done = 1;
-+ break;
-+ }
-+
-+ //fprintf(stderr, "not found\n");
-+
-+ n++;
-+ }
-+
-+ if(!done)
-+ exit_error(OTHER_PROBLEM,
-+ "Couldn't find a pattern definition file for %s.\n", s);
-+
-+ /* process \xHH escapes and tolower everything. (our regex lib has no
-+ case insensitivity option.) */
-+ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
-+}
-+
-+/* Function which parses command options; returns true if it ate an option */
-+static int parse(int c, char **argv, int invert, unsigned int *flags,
-+ const struct ipt_entry *entry, unsigned int *nfcache,
-+ struct ipt_entry_match **match)
-+{
-+ struct ipt_layer7_info *layer7info =
-+ (struct ipt_layer7_info *)(*match)->data;
-+
-+ switch (c) {
-+ case '1':
-+ check_inverse(optarg, &invert, &optind, 0);
-+ parse_layer7_protocol(argv[optind-1], layer7info);
-+ if (invert)
-+ layer7info->invert = 1;
-+ *flags = 1;
-+ break;
-+
-+ case '2':
-+ /* not going to use this, but maybe we need to strip a ! anyway (?) */
-+ check_inverse(optarg, &invert, &optind, 0);
-+
-+ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
-+ exit_error(PARAMETER_PROBLEM, "directory name too long\n");
-+
-+ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
-+
-+ *flags = 1;
-+ break;
-+ case '3':
-+ layer7info->pkt = 1;
-+ break;
-+
-+ default:
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
-+/* Final check; must have specified --pattern. */
-+static void final_check(unsigned int flags)
-+{
-+ if (!flags)
-+ exit_error(PARAMETER_PROBLEM,
-+ "LAYER7 match: You must specify `--pattern'");
-+}
-+
-+static void print_protocol(char s[], int invert, int numeric)
-+{
-+ fputs("l7proto ", stdout);
-+ if (invert) fputc('!', stdout);
-+ printf("%s ", s);
-+}
-+
-+/* Prints out the matchinfo. */
-+static void print(const struct ipt_ip *ip,
-+ const struct ipt_entry_match *match,
-+ int numeric)
-+{
-+ printf("LAYER7 ");
-+
-+ print_protocol(((struct ipt_layer7_info *)match->data)->protocol,
-+ ((struct ipt_layer7_info *)match->data)->invert, numeric);
-+
-+ if (((struct ipt_layer7_info *)match->data)->pkt)
-+ printf("l7pkt ");
-+}
-+/* Saves the union ipt_matchinfo in parsable form to stdout. */
-+static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-+{
-+ const struct ipt_layer7_info *info =
-+ (const struct ipt_layer7_info*) match->data;
-+
-+ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol);
-+}
-+
-+static struct iptables_match layer7 = {
-+ .name = "layer7",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)),
-+ .help = &help,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+void _init(void)
-+{
-+ register_match(&layer7);
-+}
-Index: iptables-1.3.8/extensions/libipt_layer7.man
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_layer7.man 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,13 @@
-+This module matches packets based on the application layer data of
-+their connections. It uses regular expression matching to compare
-+the application layer data to regular expressions found it the layer7
-+configuration files. This is an experimental module which can be found at
-+http://l7-filter.sf.net. It takes two options.
-+.TP
-+.BI "--l7proto " "\fIprotocol\fP"
-+Match the specified protocol. The protocol name must match a file
-+name in /etc/l7-protocols/
-+.TP
-+.BI "--l7dir " "\fIdirectory\fP"
-+Use \fIdirectory\fP instead of /etc/l7-protocols/
-+
+++ /dev/null
-Index: iptables-1.3.8/extensions/libipt_multiport.c
-===================================================================
---- iptables-1.3.8.orig/extensions/libipt_multiport.c 2007-07-31 15:27:55.000000000 -0500
-+++ iptables-1.3.8/extensions/libipt_multiport.c 2007-07-31 15:27:56.000000000 -0500
-@@ -8,24 +8,6 @@
- /* To ensure that iptables compiles with an old kernel */
- #include "../include/linux/netfilter_ipv4/ipt_multiport.h"
-
--/* Function which prints out usage message. */
--static void
--help(void)
--{
-- printf(
--"multiport v%s options:\n"
--" --source-ports port[,port,port...]\n"
--" --sports ...\n"
--" match source port(s)\n"
--" --destination-ports port[,port,port...]\n"
--" --dports ...\n"
--" match destination port(s)\n"
--" --ports port[,port,port]\n"
--" match both source and destination port(s)\n"
--" NOTE: this kernel does not support port ranges in multiport.\n",
--IPTABLES_VERSION);
--}
--
- static void
- help_v1(void)
- {
-@@ -70,26 +52,6 @@
- }
- }
-
--static unsigned int
--parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
--{
-- char *buffer, *cp, *next;
-- unsigned int i;
--
-- buffer = strdup(portstring);
-- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed");
--
-- for (cp=buffer, i=0; cp && i<IPT_MULTI_PORTS; cp=next,i++)
-- {
-- next=strchr(cp, ',');
-- if (next) *next++='\0';
-- ports[i] = parse_port(cp, proto);
-- }
-- if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified");
-- free(buffer);
-- return i;
--}
--
- static void
- parse_multi_ports_v1(const char *portstring,
- struct ipt_multiport_v1 *multiinfo,
-@@ -156,58 +118,6 @@
- "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
- }
-
--/* Function which parses command options; returns true if it
-- ate an option */
--static int
--parse(int c, char **argv, int invert, unsigned int *flags,
-- const struct ipt_entry *entry,
-- unsigned int *nfcache,
-- struct ipt_entry_match **match)
--{
-- const char *proto;
-- struct ipt_multiport *multiinfo
-- = (struct ipt_multiport *)(*match)->data;
--
-- switch (c) {
-- case '1':
-- check_inverse(argv[optind-1], &invert, &optind, 0);
-- proto = check_proto(entry);
-- multiinfo->count = parse_multi_ports(argv[optind-1],
-- multiinfo->ports, proto);
-- multiinfo->flags = IPT_MULTIPORT_SOURCE;
-- break;
--
-- case '2':
-- check_inverse(argv[optind-1], &invert, &optind, 0);
-- proto = check_proto(entry);
-- multiinfo->count = parse_multi_ports(argv[optind-1],
-- multiinfo->ports, proto);
-- multiinfo->flags = IPT_MULTIPORT_DESTINATION;
-- break;
--
-- case '3':
-- check_inverse(argv[optind-1], &invert, &optind, 0);
-- proto = check_proto(entry);
-- multiinfo->count = parse_multi_ports(argv[optind-1],
-- multiinfo->ports, proto);
-- multiinfo->flags = IPT_MULTIPORT_EITHER;
-- break;
--
-- default:
-- return 0;
-- }
--
-- if (invert)
-- exit_error(PARAMETER_PROBLEM,
-- "multiport does not support invert");
--
-- if (*flags)
-- exit_error(PARAMETER_PROBLEM,
-- "multiport can only have one option");
-- *flags = 1;
-- return 1;
--}
--
- static int
- parse_v1(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
-@@ -284,43 +194,6 @@
- printf("%s", service);
- }
-
--/* Prints out the matchinfo. */
--static void
--print(const struct ipt_ip *ip,
-- const struct ipt_entry_match *match,
-- int numeric)
--{
-- const struct ipt_multiport *multiinfo
-- = (const struct ipt_multiport *)match->data;
-- unsigned int i;
--
-- printf("multiport ");
--
-- switch (multiinfo->flags) {
-- case IPT_MULTIPORT_SOURCE:
-- printf("sports ");
-- break;
--
-- case IPT_MULTIPORT_DESTINATION:
-- printf("dports ");
-- break;
--
-- case IPT_MULTIPORT_EITHER:
-- printf("ports ");
-- break;
--
-- default:
-- printf("ERROR ");
-- break;
-- }
--
-- for (i=0; i < multiinfo->count; i++) {
-- printf("%s", i ? "," : "");
-- print_port(multiinfo->ports[i], ip->proto, numeric);
-- }
-- printf(" ");
--}
--
- static void
- print_v1(const struct ipt_ip *ip,
- const struct ipt_entry_match *match,
-@@ -364,34 +237,6 @@
- printf(" ");
- }
-
--/* Saves the union ipt_matchinfo in parsable form to stdout. */
--static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
--{
-- const struct ipt_multiport *multiinfo
-- = (const struct ipt_multiport *)match->data;
-- unsigned int i;
--
-- switch (multiinfo->flags) {
-- case IPT_MULTIPORT_SOURCE:
-- printf("--sports ");
-- break;
--
-- case IPT_MULTIPORT_DESTINATION:
-- printf("--dports ");
-- break;
--
-- case IPT_MULTIPORT_EITHER:
-- printf("--ports ");
-- break;
-- }
--
-- for (i=0; i < multiinfo->count; i++) {
-- printf("%s", i ? "," : "");
-- print_port(multiinfo->ports[i], ip->proto, 1);
-- }
-- printf(" ");
--}
--
- static void save_v1(const struct ipt_ip *ip,
- const struct ipt_entry_match *match)
- {
-@@ -427,19 +272,20 @@
- printf(" ");
- }
-
-+
- static struct iptables_match multiport = {
- .next = NULL,
- .name = "multiport",
-- .revision = 0,
- .version = IPTABLES_VERSION,
-- .size = IPT_ALIGN(sizeof(struct ipt_multiport)),
-- .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport)),
-- .help = &help,
-+ .revision = 0,
-+ .size = IPT_ALIGN(sizeof(struct ipt_multiport_v1)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport_v1)),
-+ .help = &help_v1,
- .init = &init,
-- .parse = &parse,
-+ .parse = &parse_v1,
- .final_check = &final_check,
-- .print = &print,
-- .save = &save,
-+ .print = &print_v1,
-+ .save = &save_v1,
- .extra_opts = opts
- };
-
+++ /dev/null
-Index: iptables-1.3.8/extensions/.IMQ-test6
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.IMQ-test6 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,3 @@
-+#!/bin/sh
-+# True if IMQ target patch is applied.
-+[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_IMQ.c ] && echo IMQ
-Index: iptables-1.3.8/extensions/libip6t_IMQ.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libip6t_IMQ.c 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,101 @@
-+/* Shared library add-on to iptables to add IMQ target support. */
-+#include <stdio.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+
-+#include <ip6tables.h>
-+#include <linux/netfilter_ipv6/ip6_tables.h>
-+#include <linux/netfilter_ipv6/ip6t_IMQ.h>
-+
-+/* Function which prints out usage message. */
-+static void
-+help(void)
-+{
-+ printf(
-+"IMQ target v%s options:\n"
-+" --todev <N> enqueue to imq<N>, defaults to 0\n",
-+IPTABLES_VERSION);
-+}
-+
-+static struct option opts[] = {
-+ { "todev", 1, 0, '1' },
-+ { 0 }
-+};
-+
-+/* Initialize the target. */
-+static void
-+init(struct ip6t_entry_target *t, unsigned int *nfcache)
-+{
-+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data;
-+
-+ mr->todev = 0;
-+ *nfcache |= NFC_UNKNOWN;
-+}
-+
-+/* Function which parses command options; returns true if it
-+ ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const struct ip6t_entry *entry,
-+ struct ip6t_entry_target **target)
-+{
-+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data;
-+
-+ switch(c) {
-+ case '1':
-+ if (check_inverse(optarg, &invert, NULL, 0))
-+ exit_error(PARAMETER_PROBLEM,
-+ "Unexpected `!' after --todev");
-+ mr->todev=atoi(optarg);
-+ break;
-+ default:
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static void
-+final_check(unsigned int flags)
-+{
-+}
-+
-+/* Prints out the targinfo. */
-+static void
-+print(const struct ip6t_ip6 *ip,
-+ const struct ip6t_entry_target *target,
-+ int numeric)
-+{
-+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
-+
-+ printf("IMQ: todev %u ", mr->todev);
-+}
-+
-+/* Saves the union ipt_targinfo in parsable form to stdout. */
-+static void
-+save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
-+{
-+ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
-+
-+ printf("--todev %u", mr->todev);
-+}
-+
-+static struct ip6tables_target imq = {
-+ .next = NULL,
-+ .name = "IMQ",
-+ .version = IPTABLES_VERSION,
-+ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
-+ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
-+ .help = &help,
-+ .init = &init,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+static __attribute__((constructor)) void _init(void)
-+{
-+ register_target6(&imq);
-+}
-Index: iptables-1.3.8/extensions/.IMQ-test
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.IMQ-test 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,3 @@
-+#!/bin/sh
-+# True if IMQ target patch is applied.
-+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IMQ.c ] && echo IMQ
-Index: iptables-1.3.8/extensions/libipt_IMQ.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_IMQ.c 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,101 @@
-+/* Shared library add-on to iptables to add IMQ target support. */
-+#include <stdio.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#include <linux/netfilter_ipv4/ipt_IMQ.h>
-+
-+/* Function which prints out usage message. */
-+static void
-+help(void)
-+{
-+ printf(
-+"IMQ target v%s options:\n"
-+" --todev <N> enqueue to imq<N>, defaults to 0\n",
-+IPTABLES_VERSION);
-+}
-+
-+static struct option opts[] = {
-+ { "todev", 1, 0, '1' },
-+ { 0 }
-+};
-+
-+/* Initialize the target. */
-+static void
-+init(struct ipt_entry_target *t, unsigned int *nfcache)
-+{
-+ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data;
-+
-+ mr->todev = 0;
-+ *nfcache |= NFC_UNKNOWN;
-+}
-+
-+/* Function which parses command options; returns true if it
-+ ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const struct ipt_entry *entry,
-+ struct ipt_entry_target **target)
-+{
-+ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data;
-+
-+ switch(c) {
-+ case '1':
-+ if (check_inverse(optarg, &invert, NULL, 0))
-+ exit_error(PARAMETER_PROBLEM,
-+ "Unexpected `!' after --todev");
-+ mr->todev=atoi(optarg);
-+ break;
-+ default:
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static void
-+final_check(unsigned int flags)
-+{
-+}
-+
-+/* Prints out the targinfo. */
-+static void
-+print(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target,
-+ int numeric)
-+{
-+ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
-+
-+ printf("IMQ: todev %u ", mr->todev);
-+}
-+
-+/* Saves the union ipt_targinfo in parsable form to stdout. */
-+static void
-+save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-+{
-+ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
-+
-+ printf("--todev %u", mr->todev);
-+}
-+
-+static struct iptables_target imq = {
-+ .next = NULL,
-+ .name = "IMQ",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)),
-+ .help = &help,
-+ .init = &init,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+static __attribute__((constructor)) void _init(void)
-+{
-+ register_target(&imq);
-+}
+++ /dev/null
-Index: iptables-1.3.8/extensions/.CHAOS-test
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.CHAOS-test 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,2 @@
-+#!/bin/sh
-+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS";
-Index: iptables-1.3.8/extensions/.DELUDE-test
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.DELUDE-test 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,2 @@
-+#!/bin/sh
-+echo "DELUDE";
-Index: iptables-1.3.8/extensions/libipt_CHAOS.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_CHAOS.c 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,111 @@
-+/*
-+ CHAOS target for iptables
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ released under the terms of the GNU General Public
-+ License version 2.x and only versions 2.x.
-+*/
-+#include <getopt.h>
-+#include <stdio.h>
-+#include <string.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+
-+static void libipt_chaos_help(void)
-+{
-+ printf(
-+ "CHAOS target v%s options:\n"
-+ " --delude Enable DELUDE processing for TCP\n"
-+ " --tarpit Enable TARPIT processing for TCP\n",
-+ IPTABLES_VERSION);
-+ return;
-+}
-+
-+static int libipt_chaos_parse(int c, char **argv, int invert,
-+ unsigned int *flags, const struct ipt_entry *entry,
-+ struct ipt_entry_target **target)
-+{
-+ struct xt_chaos_info *info = (void *)((*target)->data);
-+ switch(c) {
-+ case 'd':
-+ info->variant = XTCHAOS_DELUDE;
-+ *flags |= 0x02;
-+ return 1;
-+ case 't':
-+ info->variant = XTCHAOS_TARPIT;
-+ *flags |= 0x01;
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+static void libipt_chaos_check(unsigned int flags)
-+{
-+ if(flags != 0x03)
-+ return;
-+ /* If flags == 0x03, both were specified, which should not be. */
-+ exit_error(PARAMETER_PROBLEM,
-+ "CHAOS: only one of --tarpit or --delude may be specified");
-+ return;
-+}
-+
-+static void libipt_chaos_print(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target, int numeric)
-+{
-+ const struct xt_chaos_info *info = (const void *)target->data;
-+ switch(info->variant) {
-+ case XTCHAOS_DELUDE:
-+ printf("DELUDE ");
-+ break;
-+ case XTCHAOS_TARPIT:
-+ printf("TARPIT ");
-+ break;
-+ default:
-+ break;
-+ }
-+ return;
-+}
-+
-+static void libipt_chaos_save(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target)
-+{
-+ const struct xt_chaos_info *info = (const void *)target->data;
-+ switch(info->variant) {
-+ case XTCHAOS_DELUDE:
-+ printf("--delude ");
-+ break;
-+ case XTCHAOS_TARPIT:
-+ printf("--tarpit ");
-+ break;
-+ default:
-+ break;
-+ }
-+ return;
-+}
-+
-+static struct option libipt_chaos_opts[] = {
-+ {"delude", 0, NULL, 'd'},
-+ {"tarpit", 0, NULL, 't'},
-+ {NULL},
-+};
-+
-+static struct iptables_target libipt_chaos_info = {
-+ .name = "CHAOS",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct xt_chaos_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)),
-+ .help = libipt_chaos_help,
-+ .parse = libipt_chaos_parse,
-+ .final_check = libipt_chaos_check,
-+ .print = libipt_chaos_print,
-+ .save = libipt_chaos_save,
-+ .extra_opts = libipt_chaos_opts,
-+};
-+
-+static __attribute__((constructor)) void libipt_chaos_init(void)
-+{
-+ register_target(&libipt_chaos_info);
-+ return;
-+}
-Index: iptables-1.3.8/extensions/libipt_DELUDE.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_DELUDE.c 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,66 @@
-+/*
-+ DELUDE target for iptables
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ released under the terms of the GNU General Public
-+ License version 2.x and only versions 2.x.
-+*/
-+#include <getopt.h>
-+#include <stdio.h>
-+#include <string.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+
-+static void libipt_delude_help(void)
-+{
-+ printf("DELUDE takes no options\n");
-+ return;
-+}
-+
-+static int libipt_delude_parse(int c, char **argv, int invert,
-+ unsigned int *flags, const struct ipt_entry *entry,
-+ struct ipt_entry_target **target)
-+{
-+ return 0;
-+}
-+
-+static void libipt_delude_check(unsigned int flags)
-+{
-+ return;
-+}
-+
-+static void libipt_delude_print(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target, int numeric)
-+{
-+ return;
-+}
-+
-+static void libipt_delude_save(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target)
-+{
-+ return;
-+}
-+
-+static struct option libipt_delude_opts[] = {
-+ {NULL},
-+};
-+
-+static struct iptables_target libipt_delude_info = {
-+ .name = "DELUDE",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(0),
-+ .userspacesize = IPT_ALIGN(0),
-+ .help = libipt_delude_help,
-+ .parse = libipt_delude_parse,
-+ .final_check = libipt_delude_check,
-+ .print = libipt_delude_print,
-+ .save = libipt_delude_save,
-+ .extra_opts = libipt_delude_opts,
-+};
-+
-+static __attribute__((constructor)) void libipt_delude_init(void)
-+{
-+ register_target(&libipt_delude_info);
-+ return;
-+}
-Index: iptables-1.3.8/extensions/libipt_portscan.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_portscan.c 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,129 @@
-+/*
-+ portscan match for iptables
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ released under the terms of the GNU General Public
-+ License version 2.x and only versions 2.x.
-+*/
-+#include <stdio.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#include <linux/netfilter/xt_portscan.h>
-+
-+static void libipt_portscan_help(void)
-+{
-+ printf(
-+ "portscan match v%s options:\n"
-+ "(Combining them will make them match by OR-logic)\n"
-+ " --stealth Match TCP Stealth packets\n"
-+ " --synscan Match TCP SYN scans\n"
-+ " --cnscan Match TCP Connect scans\n"
-+ " --grscan Match Banner Grabbing scans\n",
-+ IPTABLES_VERSION);
-+ return;
-+}
-+
-+static void libipt_portscan_mtinit(struct ipt_entry_match *match,
-+ unsigned int *nfcache)
-+{
-+ /* Cannot cache this */
-+ *nfcache |= NFC_UNKNOWN;
-+ return;
-+}
-+
-+static int libipt_portscan_parse(int c, char **argv, int invert,
-+ unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc,
-+ struct ipt_entry_match **match)
-+{
-+ struct xt_portscan_info *info = (void *)((*match)->data);
-+
-+ switch(c) {
-+ case 'c':
-+ info->match_cn = 1;
-+ return 1;
-+ case 'g':
-+ info->match_gr = 1;
-+ return 1;
-+ case 's':
-+ info->match_syn = 1;
-+ return 1;
-+ case 'x':
-+ info->match_stealth = 1;
-+ return 1;
-+ default:
-+ return 0;
-+ }
-+}
-+
-+static void libipt_portscan_check(unsigned int flags)
-+{
-+ return;
-+}
-+
-+static void libipt_portscan_print(const struct ipt_ip *ip,
-+ const struct ipt_entry_match *match, int numeric)
-+{
-+ const struct xt_portscan_info *info = (const void *)(match->data);
-+ const char *s = "";
-+
-+ printf("portscan ");
-+ if(info->match_stealth) {
-+ printf("STEALTH");
-+ s = ",";
-+ }
-+ if(info->match_syn) {
-+ printf("%sSYNSCAN", s);
-+ s = ",";
-+ }
-+ if(info->match_cn) {
-+ printf("%sCNSCAN", s);
-+ s = ",";
-+ }
-+ if(info->match_gr)
-+ printf("%sGRSCAN", s);
-+ printf(" ");
-+ return;
-+}
-+
-+static void libipt_portscan_save(const struct ipt_ip *ip,
-+ const struct ipt_entry_match *match)
-+{
-+ const struct xt_portscan_info *info = (const void *)(match->data);
-+ if(info->match_stealth) printf("--stealth ");
-+ if(info->match_syn) printf("--synscan ");
-+ if(info->match_cn) printf("--cnscan ");
-+ if(info->match_gr) printf("--grscan ");
-+ return;
-+}
-+
-+static struct option libipt_portscan_opts[] = {
-+ {"stealth", 0, NULL, 'x'},
-+ {"synscan", 0, NULL, 's'},
-+ {"cnscan", 0, NULL, 'c'},
-+ {"grscan", 0, NULL, 'g'},
-+ {NULL},
-+};
-+
-+static struct iptables_match libipt_portscan_info = {
-+ .name = "portscan",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct xt_portscan_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)),
-+ .help = libipt_portscan_help,
-+ .init = libipt_portscan_mtinit,
-+ .parse = libipt_portscan_parse,
-+ .final_check = libipt_portscan_check,
-+ .print = libipt_portscan_print,
-+ .save = libipt_portscan_save,
-+ .extra_opts = libipt_portscan_opts,
-+};
-+
-+static __attribute__((constructor)) void libipt_portscan_init(void)
-+{
-+ register_match(&libipt_portscan_info);
-+ return;
-+}
-Index: iptables-1.3.8/extensions/.portscan-test
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.portscan-test 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,2 @@
-+#!/bin/sh
-+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan";
+++ /dev/null
-diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.c iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c
---- iptables-1.3.8-20070817/extensions/libipt_TARPIT.c 1969-12-31 19:00:00.000000000 -0500
-+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c 2007-08-18 14:49:25.000000000 -0400
-@@ -0,0 +1,58 @@
-+/* Shared library add-on to iptables for TARPIT support */
-+#include <stdio.h>
-+#include <getopt.h>
-+#include <iptables.h>
-+
-+static void
-+help(void)
-+{
-+ fputs(
-+"TARPIT takes no options\n"
-+"\n", stdout);
-+}
-+
-+static struct option opts[] = {
-+ { 0 }
-+};
-+
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const struct ipt_entry *entry,
-+ struct ipt_entry_target **target)
-+{
-+ return 0;
-+}
-+
-+static void final_check(unsigned int flags)
-+{
-+}
-+
-+static void
-+print(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target,
-+ int numeric)
-+{
-+}
-+
-+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-+{
-+}
-+
-+static struct iptables_target tarpit = {
-+ .next = NULL,
-+ .name = "TARPIT",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(0),
-+ .userspacesize = IPT_ALIGN(0),
-+ .help = &help,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+void _init(void)
-+{
-+ register_target(&tarpit);
-+}
-diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.man iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man
---- iptables-1.3.8-20070817/extensions/libipt_TARPIT.man 1969-12-31 19:00:00.000000000 -0500
-+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man 2007-08-18 14:49:25.000000000 -0400
-@@ -0,0 +1,34 @@
-+Captures and holds incoming TCP connections using no local
-+per-connection resources. Connections are accepted, but immediately
-+switched to the persist state (0 byte window), in which the remote
-+side stops sending data and asks to continue every 60-240 seconds.
-+Attempts to close the connection are ignored, forcing the remote side
-+to time out the connection in 12-24 minutes.
-+
-+This offers similar functionality to LaBrea
-+<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
-+hardware or IPs. Any TCP port that you would normally DROP or REJECT
-+can instead become a tarpit.
-+
-+To tarpit connections to TCP port 80 destined for the current machine:
-+.IP
-+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
-+.P
-+To significantly slow down Code Red/Nimda-style scans of unused address
-+space, forward unused ip addresses to a Linux box not acting as a router
-+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
-+forwarding on the Linux box, and add:
-+.IP
-+iptables -A FORWARD -p tcp -j TARPIT
-+.IP
-+iptables -A FORWARD -j DROP
-+.TP
-+NOTE:
-+If you use the conntrack module while you are using TARPIT, you should
-+also use the NOTRACK target, or the kernel will unnecessarily allocate
-+resources for each TARPITted connection. To TARPIT incoming
-+connections to the standard IRC port while using conntrack, you could:
-+.IP
-+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
-+.IP
-+iptables -A INPUT -p tcp --dport 6667 -j TARPIT
-diff -N -u -r iptables-1.3.8-20070817/extensions/.TARPIT-test iptables-1.3.8-20070817-nf/extensions/.TARPIT-test
---- iptables-1.3.8-20070817/extensions/.TARPIT-test 1969-12-31 19:00:00.000000000 -0500
-+++ iptables-1.3.8-20070817-nf/extensions/.TARPIT-test 2007-08-18 14:49:25.000000000 -0400
-@@ -0,0 +1,2 @@
-+#! /bin/sh
-+[ -f $KERNEL_DIR/net/netfilter/xt_TARPIT.c ] && echo TARPIT
--- /dev/null
+Index: iptables-1.3.8/extensions/Makefile
+===================================================================
+--- iptables-1.3.8.orig/extensions/Makefile
++++ iptables-1.3.8/extensions/Makefile
+@@ -13,6 +13,10 @@ PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
+ PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK
+ endif
+
++
++# ipp2p
++PF_EXT_SLIB += ipp2p
++
+ # Optionals
+ PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
+ PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
+Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/libipt_ipp2p.c
+@@ -0,0 +1,401 @@
++
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++
++#include <iptables.h>
++
++#include <linux/netfilter_ipv4/ipt_ipp2p.h>
++
++static void
++help(void)
++{
++ printf(
++ "IPP2P v%s options:\n"
++ " --ipp2p Grab all known p2p packets\n"
++ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n"
++ " --dc [TCP] All known Direct Connect packets\n"
++ " --kazaa [TCP&UDP] All known KaZaA packets\n"
++ " --gnu [TCP&UDP] All known Gnutella packets\n"
++ " --bit [TCP&UDP] All known BitTorrent packets\n"
++ " --apple [TCP] All known AppleJuice packets\n"
++ " --winmx [TCP] All known WinMX\n"
++ " --soul [TCP] All known SoulSeek\n"
++ " --ares [TCP] All known Ares\n\n"
++ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
++ " --mute [TCP] All known Mute packets\n"
++ " --waste [TCP] All known Waste packets\n"
++ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n"
++ " DEBUG SUPPPORT, use only if you know why\n"
++ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
++ "\nNote that the follwing options will have the same meaning:\n"
++ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n"
++ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
++ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
++ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
++ "\nExamples:\n"
++ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
++ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
++ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
++ , IPP2P_VERSION);
++}
++
++static struct option opts[] = {
++ { "ipp2p", 0, 0, '1' },
++ { "edk", 0, 0, '2' },
++ { "dc", 0, 0, '7' },
++ { "gnu", 0, 0, '9' },
++ { "kazaa", 0, 0, 'a' },
++ { "bit", 0, 0, 'b' },
++ { "apple", 0, 0, 'c' },
++ { "soul", 0, 0, 'd' },
++ { "winmx", 0, 0, 'e' },
++ { "ares", 0, 0, 'f' },
++ { "mute", 0, 0, 'g' },
++ { "waste", 0, 0, 'h' },
++ { "xdcc", 0, 0, 'i' },
++ { "debug", 0, 0, 'j' },
++ {0}
++};
++
++
++
++static void
++init(struct ipt_entry_match *m, unsigned int *nfcache)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data;
++
++ *nfcache |= NFC_UNKNOWN;
++
++ /*init the module with default values*/
++ info->cmd = 0;
++ info->debug = 0;
++
++}
++
++
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ipt_entry *entry,
++ unsigned int *nfcache,
++ struct ipt_entry_match **match)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data;
++
++ switch (c) {
++ case '1': /*cmd: ipp2p*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags) != 0)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += SHORT_HAND_IPP2P;
++ info->cmd = *flags;
++ break;
++
++ case '2': /*cmd: edk*/
++ if ((*flags & IPP2P_EDK) == IPP2P_EDK)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--edk' may only be "
++ "specified once");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_EDK;
++ info->cmd = *flags;
++ break;
++
++
++ case '7': /*cmd: dc*/
++ if ((*flags & IPP2P_DC) == IPP2P_DC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--dc' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_DC;
++ info->cmd = *flags;
++ break;
++
++
++ case '9': /*cmd: gnu*/
++ if ((*flags & IPP2P_GNU) == IPP2P_GNU)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--gnu' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_GNU;
++ info->cmd = *flags;
++ break;
++
++ case 'a': /*cmd: kazaa*/
++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--kazaa' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_KAZAA;
++ info->cmd = *flags;
++ break;
++
++ case 'b': /*cmd: bit*/
++ if ((*flags & IPP2P_BIT) == IPP2P_BIT)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--bit' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_BIT;
++ info->cmd = *flags;
++ break;
++
++ case 'c': /*cmd: apple*/
++ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--apple' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_APPLE;
++ info->cmd = *flags;
++ break;
++
++
++ case 'd': /*cmd: soul*/
++ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--soul' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_SOUL;
++ info->cmd = *flags;
++ break;
++
++
++ case 'e': /*cmd: winmx*/
++ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--winmx' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_WINMX;
++ info->cmd = *flags;
++ break;
++
++ case 'f': /*cmd: ares*/
++ if ((*flags & IPP2P_ARES) == IPP2P_ARES)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ares' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_ARES;
++ info->cmd = *flags;
++ break;
++
++ case 'g': /*cmd: mute*/
++ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--mute' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_MUTE;
++ info->cmd = *flags;
++ break;
++ case 'h': /*cmd: waste*/
++ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--waste' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_WASTE;
++ info->cmd = *flags;
++ break;
++ case 'i': /*cmd: xdcc*/
++ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ares' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_XDCC;
++ info->cmd = *flags;
++ break;
++
++ case 'j': /*cmd: debug*/
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ info->debug = 1;
++ break;
++
++ default:
++// exit_error(PARAMETER_PROBLEM,
++// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
++ return 0;
++ }
++ return 1;
++}
++
++
++static void
++final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM,
++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
++}
++
++
++
++static void
++print(const struct ipt_ip *ip,
++ const struct ipt_entry_match *match,
++ int numeric)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
++
++ printf("ipp2p v%s", IPP2P_VERSION);
++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p");
++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data");
++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa");
++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data");
++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data");
++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu");
++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk");
++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data");
++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data");
++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc");
++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit");
++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple");
++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul");
++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx");
++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares");
++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
++ if (info->debug != 0) printf(" --debug");
++ printf(" ");
++}
++
++
++
++static void
++save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
++
++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p ");
++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data ");
++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa ");
++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data ");
++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data ");
++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu ");
++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk ");
++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data ");
++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data ");
++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc ");
++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit ");
++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple ");
++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul ");
++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx ");
++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares ");
++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
++ if (info->debug != 0) printf("--debug ");
++}
++
++
++
++
++static
++struct iptables_match ipp2p=
++{
++ .next = NULL,
++ .name = "ipp2p",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++
++
++void _init(void)
++{
++ register_match(&ipp2p);
++}
++
+Index: iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h
+@@ -0,0 +1,31 @@
++#ifndef __IPT_IPP2P_H
++#define __IPT_IPP2P_H
++#define IPP2P_VERSION "0.8.1_rc1"
++
++struct ipt_p2p_info {
++ int cmd;
++ int debug;
++};
++
++#endif //__IPT_IPP2P_H
++
++#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/
++//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/
++#define SHORT_HAND_NONE 5 /* no short hand*/
++
++#define IPP2P_EDK (1 << 1)
++#define IPP2P_DATA_KAZAA (1 << 2)
++#define IPP2P_DATA_EDK (1 << 3)
++#define IPP2P_DATA_DC (1 << 4)
++#define IPP2P_DC (1 << 5)
++#define IPP2P_DATA_GNU (1 << 6)
++#define IPP2P_GNU (1 << 7)
++#define IPP2P_KAZAA (1 << 8)
++#define IPP2P_BIT (1 << 9)
++#define IPP2P_APPLE (1 << 10)
++#define IPP2P_SOUL (1 << 11)
++#define IPP2P_WINMX (1 << 12)
++#define IPP2P_ARES (1 << 13)
++#define IPP2P_MUTE (1 << 14)
++#define IPP2P_WASTE (1 << 15)
++#define IPP2P_XDCC (1 << 16)
--- /dev/null
+Index: iptables-1.3.8/extensions/.layer7-test
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/.layer7-test
+@@ -0,0 +1,2 @@
++#! /bin/sh
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7
+Index: iptables-1.3.8/extensions/libipt_layer7.c
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/libipt_layer7.c
+@@ -0,0 +1,394 @@
++/*
++ Shared library add-on to iptables to add layer 7 matching support.
++
++ By Matthew Strait <quadong@users.sf.net>, Oct 2003.
++
++ http://l7-filter.sf.net
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++
++ Based on libipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ipt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++ printf(
++ "LAYER7 match v%s options:\n"
++ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++ " (--l7dir must be specified before --l7proto if used!)\n"
++ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
++ IPTABLES_VERSION);
++ fputc('\n', stdout);
++}
++
++static struct option opts[] = {
++ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
++ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
++ { .name = 0 }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info)
++{
++ FILE * f;
++ char * line = NULL;
++ size_t len = 0;
++
++ enum { protocol, pattern, done } datatype = protocol;
++
++ f = fopen(filename, "r");
++
++ if(!f)
++ return 0;
++
++ while(getline(&line, &len, f) != -1)
++ {
++ if(strlen(line) < 2 || line[0] == '#')
++ continue;
++
++ /* strip the pesky newline... */
++ if(line[strlen(line) - 1] == '\n')
++ line[strlen(line) - 1] = '\0';
++
++ if(datatype == protocol)
++ {
++ /* Ignore everything on the line beginning with the
++ first space or tab . For instance, this allows the
++ protocol line in http.pat to be "http " (or
++ "http I am so cool") instead of just "http". */
++ if(strchr(line, ' ')){
++ char * space = strchr(line, ' ');
++ space[0] = '\0';
++ }
++ if(strchr(line, '\t')){
++ char * space = strchr(line, '\t');
++ space[0] = '\0';
++ }
++
++ /* sanity check. First non-comment non-blank
++ line must be the same as the file name. */
++ if(strcmp(line, protoname))
++ exit_error(OTHER_PROBLEM,
++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
++ line, filename);
++
++ if(strlen(line) >= MAX_PROTOCOL_LEN)
++ exit_error(PARAMETER_PROBLEM,
++ "Protocol name in %s too long!", filename);
++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++ datatype = pattern;
++ }
++ else if(datatype == pattern)
++ {
++ if(strlen(line) >= MAX_PATTERN_LEN)
++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++ strncpy(info->pattern, line, MAX_PATTERN_LEN);
++
++ datatype = done;
++ break;
++ }
++ else
++ exit_error(OTHER_PROBLEM, "Internal error");
++ }
++
++ if(datatype != done)
++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++ if(line) free(line);
++ fclose(f);
++
++ return 1;
++
++/*
++ fprintf(stderr, "protocol: %s\npattern: %s\n\n",
++ info->protocol,
++ info->pattern);
++*/
++}
++
++static int hex2dec(char c)
++{
++ switch (c)
++ {
++ case '0' ... '9':
++ return c - '0';
++ case 'a' ... 'f':
++ return c - 'a' + 10;
++ case 'A' ... 'F':
++ return c - 'A' + 10;
++ default:
++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++ return 0;
++ }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters
++they stand for */
++static char * pre_process(char * s)
++{
++ char * result = malloc(strlen(s) + 1);
++ int sindex = 0, rindex = 0;
++ while( sindex < strlen(s) )
++ {
++ if( sindex + 3 < strlen(s) &&
++ s[sindex] == '\\' && s[sindex+1] == 'x' &&
++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
++ {
++ /* carefully remember to call tolower here... */
++ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
++ hex2dec(s[sindex + 3] ) );
++
++ switch ( result[rindex] )
++ {
++ case 0x24:
++ case 0x28:
++ case 0x29:
++ case 0x2a:
++ case 0x2b:
++ case 0x2e:
++ case 0x3f:
++ case 0x5b:
++ case 0x5c:
++ case 0x5d:
++ case 0x5e:
++ case 0x7c:
++ fprintf(stderr,
++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]);
++ break;
++ case 0x00:
++ fprintf(stderr,
++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
++ break;
++ default:
++ break;
++ }
++
++
++ sindex += 3; /* 4 total */
++ }
++ else
++ result[rindex] = tolower(s[sindex]);
++
++ sindex++;
++ rindex++;
++ }
++ result[rindex] = '\0';
++
++ return result;
++}
++
++#define MAX_SUBDIRS 128
++char ** readl7dir(char * dirname)
++{
++ DIR * scratchdir;
++ struct dirent ** namelist;
++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++ int n, d = 1;
++ subdirs[0] = "";
++
++ n = scandir(dirname, &namelist, 0, alphasort);
++
++ if (n < 0)
++ {
++ perror("scandir");
++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++ }
++ else
++ {
++ while(n--)
++ {
++ char fulldirname[MAX_FN_LEN];
++
++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++ if((scratchdir = opendir(fulldirname)) != NULL)
++ {
++ closedir(scratchdir);
++
++ if(!strcmp(namelist[n]->d_name, ".") ||
++ !strcmp(namelist[n]->d_name, ".."))
++ /* do nothing */ ;
++ else
++ {
++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++ strcpy(subdirs[d], namelist[n]->d_name);
++ d++;
++ if(d >= MAX_SUBDIRS - 1)
++ {
++ fprintf(stderr,
++ "Too many subdirectories, skipping the rest!\n");
++ break;
++ }
++ }
++ }
++ free(namelist[n]);
++ }
++ free(namelist);
++ }
++
++ subdirs[d] = NULL;
++
++ return subdirs;
++}
++
++static void
++parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info)
++{
++ char filename[MAX_FN_LEN];
++ char * dir = NULL;
++ char ** subdirs;
++ int n = 0, done = 0;
++
++ if(strlen(l7dir) > 0)
++ dir = l7dir;
++ else
++ dir = "/etc/l7-protocols";
++
++ subdirs = readl7dir(dir);
++
++ while(subdirs[n] != NULL)
++ {
++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++ //fprintf(stderr, "Trying to find pattern in %s ... ", filename);
++
++ if(c > MAX_FN_LEN)
++ {
++ exit_error(OTHER_PROBLEM,
++ "Filename beginning with %s is too long!\n", filename);
++ }
++
++ /* read in the pattern from the file */
++ if(parse_protocol_file(filename, s, info))
++ {
++ //fprintf(stderr, "found\n");
++ done = 1;
++ break;
++ }
++
++ //fprintf(stderr, "not found\n");
++
++ n++;
++ }
++
++ if(!done)
++ exit_error(OTHER_PROBLEM,
++ "Couldn't find a pattern definition file for %s.\n", s);
++
++ /* process \xHH escapes and tolower everything. (our regex lib has no
++ case insensitivity option.) */
++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ipt_entry *entry, unsigned int *nfcache,
++ struct ipt_entry_match **match)
++{
++ struct ipt_layer7_info *layer7info =
++ (struct ipt_layer7_info *)(*match)->data;
++
++ switch (c) {
++ case '1':
++ check_inverse(optarg, &invert, &optind, 0);
++ parse_layer7_protocol(argv[optind-1], layer7info);
++ if (invert)
++ layer7info->invert = 1;
++ *flags = 1;
++ break;
++
++ case '2':
++ /* not going to use this, but maybe we need to strip a ! anyway (?) */
++ check_inverse(optarg, &invert, &optind, 0);
++
++ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++ exit_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++ *flags = 1;
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM,
++ "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++ fputs("l7proto ", stdout);
++ if (invert) fputc('!', stdout);
++ printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const struct ipt_ip *ip,
++ const struct ipt_entry_match *match,
++ int numeric)
++{
++ printf("LAYER7 ");
++
++ print_protocol(((struct ipt_layer7_info *)match->data)->protocol,
++ ((struct ipt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
++{
++ const struct ipt_layer7_info *info =
++ (const struct ipt_layer7_info*) match->data;
++
++ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol);
++}
++
++static struct iptables_match layer7 = {
++ .name = "layer7",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)),
++ .help = &help,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++void _init(void)
++{
++ register_match(&layer7);
++}
+Index: iptables-1.3.8/extensions/libipt_layer7.man
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/libipt_layer7.man
+@@ -0,0 +1,14 @@
++This module matches packets based on the application layer data of
++their connections. It uses regular expression matching to compare
++the application layer data to regular expressions found it the layer7
++configuration files. This is an experimental module which can be found at
++http://l7-filter.sf.net. It takes two options.
++.TP
++.BI "--l7proto " "\fIprotocol\fP"
++Match the specified protocol. The protocol name must match a file
++name in /etc/l7-protocols/ or one of its first-level child directories.
++.TP
++.BI "--l7dir " "\fIdirectory\fP"
++Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be
++specified before --l7proto.
++
--- /dev/null
+Index: iptables-1.3.8/extensions/libipt_layer7.c
+===================================================================
+--- iptables-1.3.8.orig/extensions/libipt_layer7.c
++++ iptables-1.3.8/extensions/libipt_layer7.c
+@@ -37,7 +37,8 @@ static void help(void)
+ "LAYER7 match v%s options:\n"
+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
+ " (--l7dir must be specified before --l7proto if used!)\n"
+- "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
++ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n"
++ "--l7pkt : Skip connection tracking and match individual packets\n",
+ IPTABLES_VERSION);
+ fputc('\n', stdout);
+ }
+@@ -45,6 +46,7 @@ static void help(void)
+ static struct option opts[] = {
+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
++ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' },
+ { .name = 0 }
+ };
+
+@@ -333,6 +335,9 @@ static int parse(int c, char **argv, int
+
+ *flags = 1;
+ break;
++ case '3':
++ layer7info->pkt = 1;
++ break;
+
+ default:
+ return 0;
+@@ -365,6 +370,9 @@ static void print(const struct ipt_ip *i
+
+ print_protocol(((struct ipt_layer7_info *)match->data)->protocol,
+ ((struct ipt_layer7_info *)match->data)->invert, numeric);
++
++ if (((struct ipt_layer7_info *)match->data)->pkt)
++ printf("l7pkt ");
+ }
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
--- /dev/null
+Index: iptables-1.3.8/extensions/libipt_multiport.c
+===================================================================
+--- iptables-1.3.8.orig/extensions/libipt_multiport.c
++++ iptables-1.3.8/extensions/libipt_multiport.c
+@@ -8,24 +8,6 @@
+ /* To ensure that iptables compiles with an old kernel */
+ #include "../include/linux/netfilter_ipv4/ipt_multiport.h"
+
+-/* Function which prints out usage message. */
+-static void
+-help(void)
+-{
+- printf(
+-"multiport v%s options:\n"
+-" --source-ports port[,port,port...]\n"
+-" --sports ...\n"
+-" match source port(s)\n"
+-" --destination-ports port[,port,port...]\n"
+-" --dports ...\n"
+-" match destination port(s)\n"
+-" --ports port[,port,port]\n"
+-" match both source and destination port(s)\n"
+-" NOTE: this kernel does not support port ranges in multiport.\n",
+-IPTABLES_VERSION);
+-}
+-
+ static void
+ help_v1(void)
+ {
+@@ -70,26 +52,6 @@ proto_to_name(u_int8_t proto)
+ }
+ }
+
+-static unsigned int
+-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
+-{
+- char *buffer, *cp, *next;
+- unsigned int i;
+-
+- buffer = strdup(portstring);
+- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed");
+-
+- for (cp=buffer, i=0; cp && i<IPT_MULTI_PORTS; cp=next,i++)
+- {
+- next=strchr(cp, ',');
+- if (next) *next++='\0';
+- ports[i] = parse_port(cp, proto);
+- }
+- if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified");
+- free(buffer);
+- return i;
+-}
+-
+ static void
+ parse_multi_ports_v1(const char *portstring,
+ struct ipt_multiport_v1 *multiinfo,
+@@ -156,58 +118,6 @@ check_proto(const struct ipt_entry *entr
+ "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
+ }
+
+-/* Function which parses command options; returns true if it
+- ate an option */
+-static int
+-parse(int c, char **argv, int invert, unsigned int *flags,
+- const struct ipt_entry *entry,
+- unsigned int *nfcache,
+- struct ipt_entry_match **match)
+-{
+- const char *proto;
+- struct ipt_multiport *multiinfo
+- = (struct ipt_multiport *)(*match)->data;
+-
+- switch (c) {
+- case '1':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(entry);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = IPT_MULTIPORT_SOURCE;
+- break;
+-
+- case '2':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(entry);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = IPT_MULTIPORT_DESTINATION;
+- break;
+-
+- case '3':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(entry);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = IPT_MULTIPORT_EITHER;
+- break;
+-
+- default:
+- return 0;
+- }
+-
+- if (invert)
+- exit_error(PARAMETER_PROBLEM,
+- "multiport does not support invert");
+-
+- if (*flags)
+- exit_error(PARAMETER_PROBLEM,
+- "multiport can only have one option");
+- *flags = 1;
+- return 1;
+-}
+-
+ static int
+ parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+@@ -284,43 +194,6 @@ print_port(u_int16_t port, u_int8_t prot
+ printf("%s", service);
+ }
+
+-/* Prints out the matchinfo. */
+-static void
+-print(const struct ipt_ip *ip,
+- const struct ipt_entry_match *match,
+- int numeric)
+-{
+- const struct ipt_multiport *multiinfo
+- = (const struct ipt_multiport *)match->data;
+- unsigned int i;
+-
+- printf("multiport ");
+-
+- switch (multiinfo->flags) {
+- case IPT_MULTIPORT_SOURCE:
+- printf("sports ");
+- break;
+-
+- case IPT_MULTIPORT_DESTINATION:
+- printf("dports ");
+- break;
+-
+- case IPT_MULTIPORT_EITHER:
+- printf("ports ");
+- break;
+-
+- default:
+- printf("ERROR ");
+- break;
+- }
+-
+- for (i=0; i < multiinfo->count; i++) {
+- printf("%s", i ? "," : "");
+- print_port(multiinfo->ports[i], ip->proto, numeric);
+- }
+- printf(" ");
+-}
+-
+ static void
+ print_v1(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match,
+@@ -364,34 +237,6 @@ print_v1(const struct ipt_ip *ip,
+ printf(" ");
+ }
+
+-/* Saves the union ipt_matchinfo in parsable form to stdout. */
+-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+-{
+- const struct ipt_multiport *multiinfo
+- = (const struct ipt_multiport *)match->data;
+- unsigned int i;
+-
+- switch (multiinfo->flags) {
+- case IPT_MULTIPORT_SOURCE:
+- printf("--sports ");
+- break;
+-
+- case IPT_MULTIPORT_DESTINATION:
+- printf("--dports ");
+- break;
+-
+- case IPT_MULTIPORT_EITHER:
+- printf("--ports ");
+- break;
+- }
+-
+- for (i=0; i < multiinfo->count; i++) {
+- printf("%s", i ? "," : "");
+- print_port(multiinfo->ports[i], ip->proto, 1);
+- }
+- printf(" ");
+-}
+-
+ static void save_v1(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match)
+ {
+@@ -427,19 +272,20 @@ static void save_v1(const struct ipt_ip
+ printf(" ");
+ }
+
++
+ static struct iptables_match multiport = {
+ .next = NULL,
+ .name = "multiport",
+- .revision = 0,
+ .version = IPTABLES_VERSION,
+- .size = IPT_ALIGN(sizeof(struct ipt_multiport)),
+- .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport)),
+- .help = &help,
++ .revision = 0,
++ .size = IPT_ALIGN(sizeof(struct ipt_multiport_v1)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_multiport_v1)),
++ .help = &help_v1,
+ .init = &init,
+- .parse = &parse,
++ .parse = &parse_v1,
+ .final_check = &final_check,
+- .print = &print,
+- .save = &save,
++ .print = &print_v1,
++ .save = &save_v1,
+ .extra_opts = opts
+ };
+
--- /dev/null
+Index: iptables-1.3.8/extensions/.IMQ-test6
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/.IMQ-test6
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_IMQ.c ] && echo IMQ
+Index: iptables-1.3.8/extensions/libip6t_IMQ.c
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/libip6t_IMQ.c
+@@ -0,0 +1,101 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <ip6tables.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_IMQ.h>
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++ printf(
++"IMQ target v%s options:\n"
++" --todev <N> enqueue to imq<N>, defaults to 0\n",
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++ { "todev", 1, 0, '1' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void
++init(struct ip6t_entry_target *t, unsigned int *nfcache)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data;
++
++ mr->todev = 0;
++ *nfcache |= NFC_UNKNOWN;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ip6t_entry *entry,
++ struct ip6t_entry_target **target)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data;
++
++ switch(c) {
++ case '1':
++ if (check_inverse(optarg, &invert, NULL, 0))
++ exit_error(PARAMETER_PROBLEM,
++ "Unexpected `!' after --todev");
++ mr->todev=atoi(optarg);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++}
++
++/* Prints out the targinfo. */
++static void
++print(const struct ip6t_ip6 *ip,
++ const struct ip6t_entry_target *target,
++ int numeric)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++ printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++ printf("--todev %u", mr->todev);
++}
++
++static struct ip6tables_target imq = {
++ .next = NULL,
++ .name = "IMQ",
++ .version = IPTABLES_VERSION,
++ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++static __attribute__((constructor)) void _init(void)
++{
++ register_target6(&imq);
++}
+Index: iptables-1.3.8/extensions/.IMQ-test
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/.IMQ-test
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IMQ.c ] && echo IMQ
+Index: iptables-1.3.8/extensions/libipt_IMQ.c
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/libipt_IMQ.c
+@@ -0,0 +1,101 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_IMQ.h>
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++ printf(
++"IMQ target v%s options:\n"
++" --todev <N> enqueue to imq<N>, defaults to 0\n",
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++ { "todev", 1, 0, '1' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void
++init(struct ipt_entry_target *t, unsigned int *nfcache)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data;
++
++ mr->todev = 0;
++ *nfcache |= NFC_UNKNOWN;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ipt_entry *entry,
++ struct ipt_entry_target **target)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data;
++
++ switch(c) {
++ case '1':
++ if (check_inverse(optarg, &invert, NULL, 0))
++ exit_error(PARAMETER_PROBLEM,
++ "Unexpected `!' after --todev");
++ mr->todev=atoi(optarg);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++}
++
++/* Prints out the targinfo. */
++static void
++print(const struct ipt_ip *ip,
++ const struct ipt_entry_target *target,
++ int numeric)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++ printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++ printf("--todev %u", mr->todev);
++}
++
++static struct iptables_target imq = {
++ .next = NULL,
++ .name = "IMQ",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++static __attribute__((constructor)) void _init(void)
++{
++ register_target(&imq);
++}
--- /dev/null
+Index: iptables-1.4.0/extensions/Makefile
+===================================================================
+--- iptables-1.4.0.orig/extensions/Makefile
++++ iptables-1.4.0/extensions/Makefile
+@@ -19,6 +19,10 @@ PF6_EXT_SE_SLIB:=$(PF6_EXT_SELINUX_SLIB)
+ PFX_EXT_SE_SLIB:=$(PFX_EXT_SELINUX_SLIB)
+ endif
+
++
++# ipp2p
++PF_EXT_SLIB += ipp2p
++
+ # Optionals
+ PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
+ PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
+Index: iptables-1.4.0/extensions/libipt_ipp2p.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libipt_ipp2p.c
+@@ -0,0 +1,398 @@
++
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++
++#include <iptables.h>
++
++#include <linux/netfilter_ipv4/ipt_ipp2p.h>
++
++static void
++help(void)
++{
++ printf(
++ "IPP2P v%s options:\n"
++ " --ipp2p Grab all known p2p packets\n"
++ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n"
++ " --dc [TCP] All known Direct Connect packets\n"
++ " --kazaa [TCP&UDP] All known KaZaA packets\n"
++ " --gnu [TCP&UDP] All known Gnutella packets\n"
++ " --bit [TCP&UDP] All known BitTorrent packets\n"
++ " --apple [TCP] All known AppleJuice packets\n"
++ " --winmx [TCP] All known WinMX\n"
++ " --soul [TCP] All known SoulSeek\n"
++ " --ares [TCP] All known Ares\n\n"
++ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
++ " --mute [TCP] All known Mute packets\n"
++ " --waste [TCP] All known Waste packets\n"
++ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n"
++ " DEBUG SUPPPORT, use only if you know why\n"
++ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
++ "\nNote that the follwing options will have the same meaning:\n"
++ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n"
++ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
++ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
++ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
++ "\nExamples:\n"
++ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
++ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
++ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
++ , IPP2P_VERSION);
++}
++
++static struct option opts[] = {
++ { "ipp2p", 0, 0, '1' },
++ { "edk", 0, 0, '2' },
++ { "dc", 0, 0, '7' },
++ { "gnu", 0, 0, '9' },
++ { "kazaa", 0, 0, 'a' },
++ { "bit", 0, 0, 'b' },
++ { "apple", 0, 0, 'c' },
++ { "soul", 0, 0, 'd' },
++ { "winmx", 0, 0, 'e' },
++ { "ares", 0, 0, 'f' },
++ { "mute", 0, 0, 'g' },
++ { "waste", 0, 0, 'h' },
++ { "xdcc", 0, 0, 'i' },
++ { "debug", 0, 0, 'j' },
++ {0}
++};
++
++
++
++static void
++init(struct xt_entry_match *m)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data;
++
++ /*init the module with default values*/
++ info->cmd = 0;
++ info->debug = 0;
++
++}
++
++
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry,
++ struct xt_entry_match **match)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data;
++
++ switch (c) {
++ case '1': /*cmd: ipp2p*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags) != 0)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += SHORT_HAND_IPP2P;
++ info->cmd = *flags;
++ break;
++
++ case '2': /*cmd: edk*/
++ if ((*flags & IPP2P_EDK) == IPP2P_EDK)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--edk' may only be "
++ "specified once");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_EDK;
++ info->cmd = *flags;
++ break;
++
++
++ case '7': /*cmd: dc*/
++ if ((*flags & IPP2P_DC) == IPP2P_DC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--dc' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_DC;
++ info->cmd = *flags;
++ break;
++
++
++ case '9': /*cmd: gnu*/
++ if ((*flags & IPP2P_GNU) == IPP2P_GNU)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--gnu' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_GNU;
++ info->cmd = *flags;
++ break;
++
++ case 'a': /*cmd: kazaa*/
++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--kazaa' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_KAZAA;
++ info->cmd = *flags;
++ break;
++
++ case 'b': /*cmd: bit*/
++ if ((*flags & IPP2P_BIT) == IPP2P_BIT)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--bit' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_BIT;
++ info->cmd = *flags;
++ break;
++
++ case 'c': /*cmd: apple*/
++ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--apple' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_APPLE;
++ info->cmd = *flags;
++ break;
++
++
++ case 'd': /*cmd: soul*/
++ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--soul' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_SOUL;
++ info->cmd = *flags;
++ break;
++
++
++ case 'e': /*cmd: winmx*/
++ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--winmx' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_WINMX;
++ info->cmd = *flags;
++ break;
++
++ case 'f': /*cmd: ares*/
++ if ((*flags & IPP2P_ARES) == IPP2P_ARES)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ares' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_ARES;
++ info->cmd = *flags;
++ break;
++
++ case 'g': /*cmd: mute*/
++ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--mute' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_MUTE;
++ info->cmd = *flags;
++ break;
++ case 'h': /*cmd: waste*/
++ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--waste' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_WASTE;
++ info->cmd = *flags;
++ break;
++ case 'i': /*cmd: xdcc*/
++ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ares' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_XDCC;
++ info->cmd = *flags;
++ break;
++
++ case 'j': /*cmd: debug*/
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ info->debug = 1;
++ break;
++
++ default:
++// exit_error(PARAMETER_PROBLEM,
++// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
++ return 0;
++ }
++ return 1;
++}
++
++
++static void
++final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM,
++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
++}
++
++
++
++static void
++print(const void *ip,
++ const struct xt_entry_match *match,
++ int numeric)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
++
++ printf("ipp2p v%s", IPP2P_VERSION);
++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p");
++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data");
++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa");
++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data");
++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data");
++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu");
++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk");
++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data");
++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data");
++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc");
++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit");
++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple");
++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul");
++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx");
++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares");
++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
++ if (info->debug != 0) printf(" --debug");
++ printf(" ");
++}
++
++
++
++static void
++save(const void *ip, const struct xt_entry_match *match)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
++
++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p ");
++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data ");
++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa ");
++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data ");
++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data ");
++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu ");
++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk ");
++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data ");
++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data ");
++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc ");
++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit ");
++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple ");
++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul ");
++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx ");
++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares ");
++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
++ if (info->debug != 0) printf("--debug ");
++}
++
++
++
++
++static
++struct iptables_match ipp2p=
++{
++ .family = AF_INET,
++ .name = "ipp2p",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
++ .help = help,
++ .init = init,
++ .parse = parse,
++ .final_check = final_check,
++ .print = print,
++ .save = save,
++ .extra_opts = opts
++};
++
++
++
++void _init(void)
++{
++ register_match(&ipp2p);
++}
++
+Index: iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h
+@@ -0,0 +1,31 @@
++#ifndef __IPT_IPP2P_H
++#define __IPT_IPP2P_H
++#define IPP2P_VERSION "0.8.1_rc1"
++
++struct ipt_p2p_info {
++ int cmd;
++ int debug;
++};
++
++#endif //__IPT_IPP2P_H
++
++#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/
++//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/
++#define SHORT_HAND_NONE 5 /* no short hand*/
++
++#define IPP2P_EDK (1 << 1)
++#define IPP2P_DATA_KAZAA (1 << 2)
++#define IPP2P_DATA_EDK (1 << 3)
++#define IPP2P_DATA_DC (1 << 4)
++#define IPP2P_DC (1 << 5)
++#define IPP2P_DATA_GNU (1 << 6)
++#define IPP2P_GNU (1 << 7)
++#define IPP2P_KAZAA (1 << 8)
++#define IPP2P_BIT (1 << 9)
++#define IPP2P_APPLE (1 << 10)
++#define IPP2P_SOUL (1 << 11)
++#define IPP2P_WINMX (1 << 12)
++#define IPP2P_ARES (1 << 13)
++#define IPP2P_MUTE (1 << 14)
++#define IPP2P_WASTE (1 << 15)
++#define IPP2P_XDCC (1 << 16)
--- /dev/null
+--- iptables-1.4.0rc1/extensions/libipt_layer7.c 1969-12-31 18:00:00.000000000 -0600
++++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.c 2007-11-19 06:06:56.000000000 -0600
+@@ -0,0 +1,393 @@
++/*
++ Shared library add-on to iptables to add layer 7 matching support.
++
++ By Matthew Strait <quadong@users.sf.net>, Oct 2003.
++
++ http://l7-filter.sf.net
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++
++ Based on libipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <iptables.h>
++#include <linux/netfilter/xt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++ printf(
++ "LAYER7 match v%s options:\n"
++ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++ " (--l7dir must be specified before --l7proto if used!)\n"
++ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
++ IPTABLES_VERSION);
++ fputc('\n', stdout);
++}
++
++static struct option opts[] = {
++ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
++ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
++ { .name = 0 }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++{
++ FILE * f;
++ char * line = NULL;
++ size_t len = 0;
++
++ enum { protocol, pattern, done } datatype = protocol;
++
++ f = fopen(filename, "r");
++
++ if(!f)
++ return 0;
++
++ while(getline(&line, &len, f) != -1)
++ {
++ if(strlen(line) < 2 || line[0] == '#')
++ continue;
++
++ /* strip the pesky newline... */
++ if(line[strlen(line) - 1] == '\n')
++ line[strlen(line) - 1] = '\0';
++
++ if(datatype == protocol)
++ {
++ /* Ignore everything on the line beginning with the
++ first space or tab . For instance, this allows the
++ protocol line in http.pat to be "http " (or
++ "http I am so cool") instead of just "http". */
++ if(strchr(line, ' ')){
++ char * space = strchr(line, ' ');
++ space[0] = '\0';
++ }
++ if(strchr(line, '\t')){
++ char * space = strchr(line, '\t');
++ space[0] = '\0';
++ }
++
++ /* sanity check. First non-comment non-blank
++ line must be the same as the file name. */
++ if(strcmp(line, protoname))
++ exit_error(OTHER_PROBLEM,
++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
++ line, filename);
++
++ if(strlen(line) >= MAX_PROTOCOL_LEN)
++ exit_error(PARAMETER_PROBLEM,
++ "Protocol name in %s too long!", filename);
++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++ datatype = pattern;
++ }
++ else if(datatype == pattern)
++ {
++ if(strlen(line) >= MAX_PATTERN_LEN)
++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++ strncpy(info->pattern, line, MAX_PATTERN_LEN);
++
++ datatype = done;
++ break;
++ }
++ else
++ exit_error(OTHER_PROBLEM, "Internal error");
++ }
++
++ if(datatype != done)
++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++ if(line) free(line);
++ fclose(f);
++
++ return 1;
++
++/*
++ fprintf(stderr, "protocol: %s\npattern: %s\n\n",
++ info->protocol,
++ info->pattern);
++*/
++}
++
++static int hex2dec(char c)
++{
++ switch (c)
++ {
++ case '0' ... '9':
++ return c - '0';
++ case 'a' ... 'f':
++ return c - 'a' + 10;
++ case 'A' ... 'F':
++ return c - 'A' + 10;
++ default:
++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++ return 0;
++ }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters
++they stand for */
++static char * pre_process(char * s)
++{
++ char * result = malloc(strlen(s) + 1);
++ int sindex = 0, rindex = 0;
++ while( sindex < strlen(s) )
++ {
++ if( sindex + 3 < strlen(s) &&
++ s[sindex] == '\\' && s[sindex+1] == 'x' &&
++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
++ {
++ /* carefully remember to call tolower here... */
++ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
++ hex2dec(s[sindex + 3] ) );
++
++ switch ( result[rindex] )
++ {
++ case 0x24:
++ case 0x28:
++ case 0x29:
++ case 0x2a:
++ case 0x2b:
++ case 0x2e:
++ case 0x3f:
++ case 0x5b:
++ case 0x5c:
++ case 0x5d:
++ case 0x5e:
++ case 0x7c:
++ fprintf(stderr,
++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]);
++ break;
++ case 0x00:
++ fprintf(stderr,
++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
++ break;
++ default:
++ break;
++ }
++
++
++ sindex += 3; /* 4 total */
++ }
++ else
++ result[rindex] = tolower(s[sindex]);
++
++ sindex++;
++ rindex++;
++ }
++ result[rindex] = '\0';
++
++ return result;
++}
++
++#define MAX_SUBDIRS 128
++char ** readl7dir(char * dirname)
++{
++ DIR * scratchdir;
++ struct dirent ** namelist;
++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++ int n, d = 1;
++ subdirs[0] = "";
++
++ n = scandir(dirname, &namelist, 0, alphasort);
++
++ if (n < 0)
++ {
++ perror("scandir");
++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++ }
++ else
++ {
++ while(n--)
++ {
++ char fulldirname[MAX_FN_LEN];
++
++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++ if((scratchdir = opendir(fulldirname)) != NULL)
++ {
++ closedir(scratchdir);
++
++ if(!strcmp(namelist[n]->d_name, ".") ||
++ !strcmp(namelist[n]->d_name, ".."))
++ /* do nothing */ ;
++ else
++ {
++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++ strcpy(subdirs[d], namelist[n]->d_name);
++ d++;
++ if(d >= MAX_SUBDIRS - 1)
++ {
++ fprintf(stderr,
++ "Too many subdirectories, skipping the rest!\n");
++ break;
++ }
++ }
++ }
++ free(namelist[n]);
++ }
++ free(namelist);
++ }
++
++ subdirs[d] = NULL;
++
++ return subdirs;
++}
++
++static void
++parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++{
++ char filename[MAX_FN_LEN];
++ char * dir = NULL;
++ char ** subdirs;
++ int n = 0, done = 0;
++
++ if(strlen(l7dir) > 0)
++ dir = l7dir;
++ else
++ dir = "/etc/l7-protocols";
++
++ subdirs = readl7dir(dir);
++
++ while(subdirs[n] != NULL)
++ {
++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++ //fprintf(stderr, "Trying to find pattern in %s ... ", filename);
++
++ if(c > MAX_FN_LEN)
++ {
++ exit_error(OTHER_PROBLEM,
++ "Filename beginning with %s is too long!\n", filename);
++ }
++
++ /* read in the pattern from the file */
++ if(parse_protocol_file(filename, s, info))
++ {
++ //fprintf(stderr, "found\n");
++ done = 1;
++ break;
++ }
++
++ //fprintf(stderr, "not found\n");
++
++ n++;
++ }
++
++ if(!done)
++ exit_error(OTHER_PROBLEM,
++ "Couldn't find a pattern definition file for %s.\n", s);
++
++ /* process \xHH escapes and tolower everything. (our regex lib has no
++ case insensitivity option.) */
++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_match **match)
++{
++ struct xt_layer7_info *layer7info =
++ (struct xt_layer7_info *)(*match)->data;
++
++ switch (c) {
++ case '1':
++ check_inverse(optarg, &invert, &optind, 0);
++ parse_layer7_protocol(argv[optind-1], layer7info);
++ if (invert)
++ layer7info->invert = 1;
++ *flags = 1;
++ break;
++
++ case '2':
++ /* not going to use this, but maybe we need to strip a ! anyway (?) */
++ check_inverse(optarg, &invert, &optind, 0);
++
++ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++ exit_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++ *flags = 1;
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM,
++ "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++ fputs("l7proto ", stdout);
++ if (invert) fputc('!', stdout);
++ printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const void *ip,
++ const struct xt_entry_match *match,
++ int numeric)
++{
++ printf("LAYER7 ");
++
++ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
++ ((struct xt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const void *ip, const struct xt_entry_match *match)
++{
++ const struct xt_layer7_info *info =
++ (const struct xt_layer7_info*) match->data;
++
++ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol);
++}
++
++static struct iptables_match layer7 = {
++ .name = "layer7",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct xt_layer7_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct xt_layer7_info)),
++ .help = &help,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++void _init(void)
++{
++ register_match(&layer7);
++}
+--- iptables-1.4.0rc1/extensions/libipt_layer7.man 1969-12-31 18:00:00.000000000 -0600
++++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.man 2007-11-19 05:49:46.000000000 -0600
+@@ -0,0 +1,14 @@
++This module matches packets based on the application layer data of
++their connections. It uses regular expression matching to compare
++the application layer data to regular expressions found it the layer7
++configuration files. This is an experimental module which can be found at
++http://l7-filter.sf.net. It takes two options.
++.TP
++.BI "--l7proto " "\fIprotocol\fP"
++Match the specified protocol. The protocol name must match a file
++name in /etc/l7-protocols/ or one of its first-level child directories.
++.TP
++.BI "--l7dir " "\fIdirectory\fP"
++Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be
++specified before --l7proto.
++
+--- iptables-1.4.0rc1/extensions/.layer7-test 1969-12-31 18:00:00.000000000 -0600
++++ iptables-1.4.0rc1-layer7/extensions/.layer7-test 2007-11-19 06:18:58.000000000 -0600
+@@ -0,0 +1,2 @@
++#! /bin/sh
++[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7
--- /dev/null
+Index: iptables-1.4.0/extensions/libipt_layer7.c
+===================================================================
+--- iptables-1.4.0.orig/extensions/libipt_layer7.c
++++ iptables-1.4.0/extensions/libipt_layer7.c
+@@ -43,7 +43,8 @@ static void help(void)
+ "LAYER7 match v%s options:\n"
+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
+ " (--l7dir must be specified before --l7proto if used!)\n"
+- "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
++ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n"
++ "--l7pkt : Skip connection tracking and match individual packets\n",
+ IPTABLES_VERSION);
+ fputc('\n', stdout);
+ }
+@@ -51,6 +52,7 @@ static void help(void)
+ static struct option opts[] = {
+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
++ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' },
+ { .name = 0 }
+ };
+
+@@ -339,6 +341,10 @@ static int parse(int c, char **argv, int
+ *flags = 1;
+ break;
+
++ case '3':
++ layer7info->pkt = 1;
++ break;
++
+ default:
+ return 0;
+ }
+@@ -370,6 +376,9 @@ static void print(const void *ip,
+
+ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
+ ((struct xt_layer7_info *)match->data)->invert, numeric);
++
++ if (((struct xt_layer7_info *)match->data)->pkt)
++ printf("l7pkt ");
+ }
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+ static void save(const void *ip, const struct xt_entry_match *match)
--- /dev/null
+Index: iptables-1.4.0/extensions/libxt_multiport.c
+===================================================================
+--- iptables-1.4.0.orig/extensions/libxt_multiport.c
++++ iptables-1.4.0/extensions/libxt_multiport.c
+@@ -12,22 +12,6 @@
+ #include "../include/linux/netfilter/xt_multiport.h"
+
+ /* Function which prints out usage message. */
+-static void multiport_help(void)
+-{
+- printf(
+-"multiport v%s options:\n"
+-" --source-ports port[,port,port...]\n"
+-" --sports ...\n"
+-" match source port(s)\n"
+-" --destination-ports port[,port,port...]\n"
+-" --dports ...\n"
+-" match destination port(s)\n"
+-" --ports port[,port,port]\n"
+-" match both source and destination port(s)\n"
+-" NOTE: this kernel does not support port ranges in multiport.\n",
+-IPTABLES_VERSION);
+-}
+-
+ static void multiport_help_v1(void)
+ {
+ printf(
+@@ -71,26 +55,6 @@ proto_to_name(u_int8_t proto)
+ }
+ }
+
+-static unsigned int
+-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
+-{
+- char *buffer, *cp, *next;
+- unsigned int i;
+-
+- buffer = strdup(portstring);
+- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed");
+-
+- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
+- {
+- next=strchr(cp, ',');
+- if (next) *next++='\0';
+- ports[i] = parse_port(cp, proto);
+- }
+- if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified");
+- free(buffer);
+- return i;
+-}
+-
+ static void
+ parse_multi_ports_v1(const char *portstring,
+ struct xt_multiport_v1 *multiinfo,
+@@ -154,73 +118,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
+ /* Function which parses command options; returns true if it
+ ate an option */
+ static int
+-__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+- struct xt_entry_match **match, u_int16_t pnum,
+- u_int8_t invflags)
+-{
+- const char *proto;
+- struct xt_multiport *multiinfo
+- = (struct xt_multiport *)(*match)->data;
+-
+- switch (c) {
+- case '1':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_SOURCE;
+- break;
+-
+- case '2':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_DESTINATION;
+- break;
+-
+- case '3':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_EITHER;
+- break;
+-
+- default:
+- return 0;
+- }
+-
+- if (invert)
+- exit_error(PARAMETER_PROBLEM,
+- "multiport does not support invert");
+-
+- if (*flags)
+- exit_error(PARAMETER_PROBLEM,
+- "multiport can only have one option");
+- *flags = 1;
+- return 1;
+-}
+-
+-static int
+-multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+- const void *e, struct xt_entry_match **match)
+-{
+- const struct ipt_entry *entry = e;
+- return __multiport_parse(c, argv, invert, flags, match,
+- entry->ip.proto, entry->ip.invflags);
+-}
+-
+-static int
+-multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
+- const void *e, struct xt_entry_match **match)
+-{
+- const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
+- return __multiport_parse(c, argv, invert, flags, match,
+- entry->ipv6.proto, entry->ipv6.invflags);
+-}
+-
+-static int
+ __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_entry_match **match, u_int16_t pnum,
+ u_int8_t invflags)
+@@ -313,55 +210,6 @@ print_port(u_int16_t port, u_int8_t prot
+ }
+
+ /* Prints out the matchinfo. */
+-static void
+-__multiport_print(const struct xt_entry_match *match, int numeric,
+- u_int16_t proto)
+-{
+- const struct xt_multiport *multiinfo
+- = (const struct xt_multiport *)match->data;
+- unsigned int i;
+-
+- printf("multiport ");
+-
+- switch (multiinfo->flags) {
+- case XT_MULTIPORT_SOURCE:
+- printf("sports ");
+- break;
+-
+- case XT_MULTIPORT_DESTINATION:
+- printf("dports ");
+- break;
+-
+- case XT_MULTIPORT_EITHER:
+- printf("ports ");
+- break;
+-
+- default:
+- printf("ERROR ");
+- break;
+- }
+-
+- for (i=0; i < multiinfo->count; i++) {
+- printf("%s", i ? "," : "");
+- print_port(multiinfo->ports[i], proto, numeric);
+- }
+- printf(" ");
+-}
+-
+-static void multiport_print(const void *ip_void,
+- const struct xt_entry_match *match, int numeric)
+-{
+- const struct ipt_ip *ip = ip_void;
+- __multiport_print(match, numeric, ip->proto);
+-}
+-
+-static void multiport_print6(const void *ip_void,
+- const struct xt_entry_match *match, int numeric)
+-{
+- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+- __multiport_print(match, numeric, ip->proto);
+-}
+-
+ static void __multiport_print_v1(const struct xt_entry_match *match,
+ int numeric, u_int16_t proto)
+ {
+@@ -418,48 +266,6 @@ static void multiport_print6_v1(const vo
+ }
+
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+-static void __multiport_save(const struct xt_entry_match *match,
+- u_int16_t proto)
+-{
+- const struct xt_multiport *multiinfo
+- = (const struct xt_multiport *)match->data;
+- unsigned int i;
+-
+- switch (multiinfo->flags) {
+- case XT_MULTIPORT_SOURCE:
+- printf("--sports ");
+- break;
+-
+- case XT_MULTIPORT_DESTINATION:
+- printf("--dports ");
+- break;
+-
+- case XT_MULTIPORT_EITHER:
+- printf("--ports ");
+- break;
+- }
+-
+- for (i=0; i < multiinfo->count; i++) {
+- printf("%s", i ? "," : "");
+- print_port(multiinfo->ports[i], proto, 1);
+- }
+- printf(" ");
+-}
+-
+-static void multiport_save(const void *ip_void,
+- const struct xt_entry_match *match)
+-{
+- const struct ipt_ip *ip = ip_void;
+- __multiport_save(match, ip->proto);
+-}
+-
+-static void multiport_save6(const void *ip_void,
+- const struct xt_entry_match *match)
+-{
+- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+- __multiport_save(match, ip->proto);
+-}
+-
+ static void __multiport_save_v1(const struct xt_entry_match *match,
+ u_int16_t proto)
+ {
+@@ -509,36 +315,6 @@ static void multiport_save6_v1(const voi
+ __multiport_save_v1(match, ip->proto);
+ }
+
+-static struct xtables_match multiport_match = {
+- .family = AF_INET,
+- .name = "multiport",
+- .revision = 0,
+- .version = IPTABLES_VERSION,
+- .size = XT_ALIGN(sizeof(struct xt_multiport)),
+- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+- .help = multiport_help,
+- .parse = multiport_parse,
+- .final_check = multiport_check,
+- .print = multiport_print,
+- .save = multiport_save,
+- .extra_opts = multiport_opts,
+-};
+-
+-static struct xtables_match multiport_match6 = {
+- .family = AF_INET6,
+- .name = "multiport",
+- .revision = 0,
+- .version = IPTABLES_VERSION,
+- .size = XT_ALIGN(sizeof(struct xt_multiport)),
+- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+- .help = multiport_help,
+- .parse = multiport_parse6,
+- .final_check = multiport_check,
+- .print = multiport_print6,
+- .save = multiport_save6,
+- .extra_opts = multiport_opts,
+-};
+-
+ static struct xtables_match multiport_match_v1 = {
+ .family = AF_INET,
+ .name = "multiport",
+@@ -572,8 +348,6 @@ static struct xtables_match multiport_ma
+ void
+ _init(void)
+ {
+- xtables_register_match(&multiport_match);
+- xtables_register_match(&multiport_match6);
+ xtables_register_match(&multiport_match_v1);
+ xtables_register_match(&multiport_match6_v1);
+ }
--- /dev/null
+--- iptables-1.4.0.orig/extensions.orig/.IMQ-test6 Thu Jan 1 01:00:00 1970
++++ iptables-1.4.0/extensions/.IMQ-test6 Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_IMQ.h ] && echo IMQ
+--- iptables-1.4.0.orig/extensions.orig/libip6t_IMQ.c Thu Jan 1 01:00:00 1970
++++ iptables-1.4.0/extensions/libip6t_IMQ.c Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,100 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <ip6tables.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_IMQ.h>
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++ printf(
++"IMQ target v%s options:\n"
++" --todev <N> enqueue to imq<N>, defaults to 0\n",
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++ { "todev", 1, 0, '1' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void
++init(struct xt_entry_target *t)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data;
++
++ mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry,
++ struct xt_entry_target **target)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data;
++
++ switch(c) {
++ case '1':
++ if (check_inverse(optarg, &invert, NULL, 0))
++ exit_error(PARAMETER_PROBLEM,
++ "Unexpected `!' after --todev");
++ mr->todev=atoi(optarg);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++}
++
++/* Prints out the targinfo. */
++static void
++print(const void *ip,
++ const struct xt_entry_target *target,
++ int numeric)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++ printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++save(const void *ip, const struct xt_entry_target *target)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++ printf("--todev %u", mr->todev);
++}
++
++static struct ip6tables_target imq = {
++ .next = NULL,
++ .name = "IMQ",
++ .version = IPTABLES_VERSION,
++ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++static __attribute__((constructor)) void _init(void)
++{
++ register_target6(&imq);
++}
+--- iptables-1.4.0.orig/extensions.orig/.IMQ-test Thu Jan 1 01:00:00 1970
++++ iptables-1.4.0/extensions/.IMQ-test Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ
+--- iptables-1.4.0.orig/extensions.orig/libipt_IMQ.c Thu Jan 1 01:00:00 1970
++++ iptables-1.4.0/extensions/libipt_IMQ.c Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,100 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_IMQ.h>
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++ printf(
++"IMQ target v%s options:\n"
++" --todev <N> enqueue to imq<N>, defaults to 0\n",
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++ { "todev", 1, 0, '1' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void
++init(struct xt_entry_target *t)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data;
++
++ mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry,
++ struct xt_entry_target **target)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data;
++
++ switch(c) {
++ case '1':
++ if (check_inverse(optarg, &invert, NULL, 0))
++ exit_error(PARAMETER_PROBLEM,
++ "Unexpected `!' after --todev");
++ mr->todev=atoi(optarg);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++}
++
++/* Prints out the targinfo. */
++static void
++print(const void *ip,
++ const struct xt_entry_target *target,
++ int numeric)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++ printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++save(const void *ip, const struct xt_entry_target *target)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++ printf("--todev %u", mr->todev);
++}
++
++static struct iptables_target imq = {
++ .next = NULL,
++ .name = "IMQ",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++static __attribute__((constructor)) void _init(void)
++{
++ register_target(&imq);
++}
+
--- /dev/null
+Index: iptables-1.4.0/extensions/.CHAOS-testx
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/.CHAOS-testx
+@@ -0,0 +1,3 @@
++#! /bin/sh
++
++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"
+Index: iptables-1.4.0/extensions/libxt_CHAOS.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_CHAOS.c
+@@ -0,0 +1,114 @@
++/*
++ * CHAOS target for iptables
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <getopt.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <string.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_CHAOS.h>
++
++enum {
++ F_DELUDE = 1 << 0,
++ F_TARPIT = 1 << 1,
++};
++
++static const struct option chaos_tg_opts[] = {
++ {.name = "delude", .has_arg = false, .val = 'd'},
++ {.name = "tarpit", .has_arg = false, .val = 't'},
++ {},
++};
++
++static void chaos_tg_help(void)
++{
++ printf(
++ "CHAOS target v%s options:\n"
++ " --delude Enable DELUDE processing for TCP\n"
++ " --tarpit Enable TARPIT processing for TCP\n",
++ IPTABLES_VERSION);
++ return;
++}
++
++static int chaos_tg_parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_target **target)
++{
++ struct xt_chaos_target_info *info = (void *)((*target)->data);
++ switch (c) {
++ case 'd':
++ info->variant = XTCHAOS_DELUDE;
++ *flags |= F_DELUDE;
++ return true;
++ case 't':
++ info->variant = XTCHAOS_TARPIT;
++ *flags |= F_TARPIT;
++ return true;
++ }
++ return false;
++}
++
++static void chaos_tg_check(unsigned int flags)
++{
++ if ((flags & (F_DELUDE | F_TARPIT)) == (F_DELUDE | F_TARPIT))
++ /* If flags == 0x03, both were specified, which should not be. */
++ exit_error(PARAMETER_PROBLEM,
++ "CHAOS: only one of --tarpit or --delude "
++ "may be specified");
++ return;
++}
++
++static void chaos_tg_print(const void *ip,
++ const struct xt_entry_target *target, int numeric)
++{
++ const struct xt_chaos_target_info *info = (const void *)target->data;
++ switch (info->variant) {
++ case XTCHAOS_DELUDE:
++ printf("DELUDE ");
++ break;
++ case XTCHAOS_TARPIT:
++ printf("TARPIT ");
++ break;
++ }
++ return;
++}
++
++static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
++{
++ const struct xt_chaos_target_info *info = (const void *)target->data;
++ switch (info->variant) {
++ case XTCHAOS_DELUDE:
++ printf("--delude ");
++ break;
++ case XTCHAOS_TARPIT:
++ printf("--tarpit ");
++ break;
++ }
++ return;
++}
++
++static struct xtables_target chaos_tg_reg = {
++ .version = IPTABLES_VERSION,
++ .name = "CHAOS",
++ .family = AF_INET,
++ .size = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
++ .help = chaos_tg_help,
++ .parse = chaos_tg_parse,
++ .final_check = chaos_tg_check,
++ .print = chaos_tg_print,
++ .save = chaos_tg_save,
++ .extra_opts = chaos_tg_opts,
++};
++
++void _init(void)
++{
++ xtables_register_target(&chaos_tg_reg);
++ return;
++}
+Index: iptables-1.4.0/extensions/libxt_CHAOS.man
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_CHAOS.man
+@@ -0,0 +1,18 @@
++Causes confusion on the other end by doing odd things with incoming packets.
++CHAOS will randomly reply (or not) with one of its configurable subtargets:
++.TP
++\fB--delude\fR
++Use the REJECT and DELUDE targets as a base to do a sudden or deferred
++connection reset, fooling some network scanners to return non-deterministic
++(randomly open/closed) results, and in case it is deemed open, it is actually
++closed/filtered.
++.TP
++\fB--tarpit\fR
++Use the REJECT and TARPIT target as a base to hold the connection until it
++times out. This consumes conntrack entries when connection tracking is loaded
++(which usually is on most machines), and routers inbetween you and the Internet
++may fail to do their connection tracking if they have to handle more
++connections than they can.
++.PP
++The randomness factor of not replying vs. replying can be set during load-time
++of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
+Index: iptables-1.4.0/extensions/.DELUDE-testx
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/.DELUDE-testx
+@@ -0,0 +1,3 @@
++#! /bin/sh
++
++[ -f "$KERNEL_DIR/net/netfilter/xt_DELUDE.c" ] && echo "DELUDE"
+Index: iptables-1.4.0/extensions/libxt_DELUDE.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_DELUDE.c
+@@ -0,0 +1,49 @@
++/*
++ * DELUDE target for iptables
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <getopt.h>
++#include <stdio.h>
++#include <string.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++
++static void delude_tg_help(void)
++{
++ printf("DELUDE takes no options\n");
++ return;
++}
++
++static int delude_tg_parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_target **target)
++{
++ return 0;
++}
++
++static void delude_tg_check(unsigned int flags)
++{
++ return;
++}
++
++static struct xtables_target delude_tg_reg = {
++ .version = IPTABLES_VERSION,
++ .name = "DELUDE",
++ .family = AF_INET,
++ .size = XT_ALIGN(0),
++ .userspacesize = XT_ALIGN(0),
++ .help = delude_tg_help,
++ .parse = delude_tg_parse,
++ .final_check = delude_tg_check,
++};
++
++void _init(void)
++{
++ xtables_register_target(&delude_tg_reg);
++ return;
++}
+Index: iptables-1.4.0/extensions/libxt_DELUDE.man
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_DELUDE.man
+@@ -0,0 +1,4 @@
++The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other
++packets with an RST. This will terminate the connection much like REJECT, but
++network scanners doing TCP half-open discovery can be spoofed to make them
++belive the port is open rather than closed/filtered.
+Index: iptables-1.4.0/extensions/.portscan-testx
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/.portscan-testx
+@@ -0,0 +1,3 @@
++#! /bin/sh
++
++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan"
+Index: iptables-1.4.0/extensions/libxt_portscan.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_portscan.c
+@@ -0,0 +1,127 @@
++/*
++ * portscan match for iptables
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <stdbool.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <xtables.h>
++#include <iptables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_portscan.h>
++
++static const struct option portscan_mt_opts[] = {
++ {.name = "stealth", .has_arg = false, .val = 'x'},
++ {.name = "synscan", .has_arg = false, .val = 's'},
++ {.name = "cnscan", .has_arg = false, .val = 'c'},
++ {.name = "grscan", .has_arg = false, .val = 'g'},
++ {},
++};
++
++static void portscan_mt_help(void)
++{
++ printf(
++ "portscan match v%s options:\n"
++ "(Combining them will make them match by OR-logic)\n"
++ " --stealth Match TCP Stealth packets\n"
++ " --synscan Match TCP SYN scans\n"
++ " --cnscan Match TCP Connect scans\n"
++ " --grscan Match Banner Grabbing scans\n",
++ IPTABLES_VERSION);
++ return;
++}
++
++static int portscan_mt_parse(int c, char **argv, int invert,
++ unsigned int *flags, const void *entry, struct xt_entry_match **match)
++{
++ struct xt_portscan_match_info *info = (void *)((*match)->data);
++
++ switch (c) {
++ case 'c':
++ info->match_cn = true;
++ return true;
++ case 'g':
++ info->match_gr = true;
++ return true;
++ case 's':
++ info->match_syn = true;
++ return true;
++ case 'x':
++ info->match_stealth = true;
++ return true;
++ }
++ return false;
++}
++
++static void portscan_mt_check(unsigned int flags)
++{
++ return;
++}
++
++static void portscan_mt_print(const void *ip,
++ const struct xt_entry_match *match, int numeric)
++{
++ const struct xt_portscan_match_info *info = (const void *)(match->data);
++ const char *s = "";
++
++ printf("portscan ");
++ if (info->match_stealth) {
++ printf("STEALTH");
++ s = ",";
++ }
++ if (info->match_syn) {
++ printf("%sSYNSCAN", s);
++ s = ",";
++ }
++ if (info->match_cn) {
++ printf("%sCNSCAN", s);
++ s = ",";
++ }
++ if (info->match_gr)
++ printf("%sGRSCAN", s);
++ printf(" ");
++ return;
++}
++
++static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
++{
++ const struct xt_portscan_match_info *info = (const void *)(match->data);
++
++ if (info->match_stealth)
++ printf("--stealth ");
++ if (info->match_syn)
++ printf("--synscan ");
++ if (info->match_cn)
++ printf("--cnscan ");
++ if (info->match_gr)
++ printf("--grscan ");
++ return;
++}
++
++static struct xtables_match portscan_mt_reg = {
++ .version = IPTABLES_VERSION,
++ .name = "portscan",
++ .family = AF_INET,
++ .size = XT_ALIGN(sizeof(struct xt_portscan_match_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_match_info)),
++ .help = portscan_mt_help,
++ .parse = portscan_mt_parse,
++ .final_check = portscan_mt_check,
++ .print = portscan_mt_print,
++ .save = portscan_mt_save,
++ .extra_opts = portscan_mt_opts,
++};
++
++void _init(void)
++{
++ xtables_register_match(&portscan_mt_reg);
++ return;
++}
+Index: iptables-1.4.0/extensions/libxt_portscan.man
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_portscan.man
+@@ -0,0 +1,27 @@
++Detects simple port scan attemps based upon the packet's contents. (This is
++different from other implementations, which also try to match the rate of new
++connections.) Note that an attempt is only discovered after it has been carried
++out, but this information can be used in conjunction with other rules to block
++the remote host's future connections. So this match module will match on the
++(probably) last packet the remote side will send to your machine.
++.TP
++\fB--stealth\fR
++Match if the packet did not belong to any known TCP connection
++(Stealth/FIN/XMAS/NULL scan).
++.TP
++\fB--synscan\fR
++Match if the connection was a TCP half-open discovery (SYN scan), i.e. the
++connection was torn down after the 2nd packet in the 3-way handshake.
++.TP
++\fB--cnscan\fR
++Match if the connection was a TCP full open discovery (connect scan), i.e. the
++connection was torn down after completion of the 3-way handshake.
++.TP
++\fB--grscan\fR
++Match if data in the connection only flew in the direction of the remote side,
++e.g. if the connection was terminated after a locally running daemon sent its
++identification. (e.g. openssh)
++.PP
++NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
++so be advised to carefully use xt_portscan in conjunction with blocking rules,
++as it may lock out your very own internal network.
--- /dev/null
+Index: iptables-1.4.0/extensions/libxt_TARPIT.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_TARPIT.c
+@@ -0,0 +1,55 @@
++/* Shared library add-on to iptables to add TARPIT target support */
++#include <stdio.h>
++#include <getopt.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++
++static void TARPIT_help(void)
++{
++ fputs(
++"TARPIT takes no options\n"
++"\n", stdout);
++}
++
++static struct option TARPIT_opts[] = {
++ { 0 }
++};
++
++static int TARPIT_parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_target **target)
++{
++ return 0;
++}
++
++static void TARPIT_final_check(unsigned int flags)
++{
++}
++
++static void TARPIT_print(const void *ip, const struct xt_entry_target *target,
++ int numeric)
++{
++}
++
++static void TARPIT_save(const void *ip, const struct xt_entry_target *target)
++{
++}
++
++static struct xtables_target tarpit_target = {
++ .family = AF_INET,
++ .name = "TARPIT",
++ .version = IPTABLES_VERSION,
++ .size = XT_ALIGN(0),
++ .userspacesize = XT_ALIGN(0),
++ .help = TARPIT_help,
++ .parse = TARPIT_parse,
++ .final_check = TARPIT_final_check,
++ .print = TARPIT_print,
++ .save = TARPIT_save,
++ .extra_opts = TARPIT_opts
++};
++
++void _init(void)
++{
++ xtables_register_target(&tarpit_target);
++}
+Index: iptables-1.4.0/extensions/libxt_TARPIT.man
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_TARPIT.man
+@@ -0,0 +1,34 @@
++Captures and holds incoming TCP connections using no local
++per-connection resources. Connections are accepted, but immediately
++switched to the persist state (0 byte window), in which the remote
++side stops sending data and asks to continue every 60-240 seconds.
++Attempts to close the connection are ignored, forcing the remote side
++to time out the connection in 12-24 minutes.
++
++This offers similar functionality to LaBrea
++<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
++hardware or IPs. Any TCP port that you would normally DROP or REJECT
++can instead become a tarpit.
++
++To tarpit connections to TCP port 80 destined for the current machine:
++.IP
++iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
++.P
++To significantly slow down Code Red/Nimda-style scans of unused address
++space, forward unused ip addresses to a Linux box not acting as a router
++(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
++forwarding on the Linux box, and add:
++.IP
++iptables -A FORWARD -p tcp -j TARPIT
++.IP
++iptables -A FORWARD -j DROP
++.TP
++NOTE:
++If you use the conntrack module while you are using TARPIT, you should
++also use the NOTRACK target, or the kernel will unnecessarily allocate
++resources for each TARPITted connection. To TARPIT incoming
++connections to the standard IRC port while using conntrack, you could:
++.IP
++iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
++.IP
++iptables -A INPUT -p tcp --dport 6667 -j TARPIT
+Index: iptables-1.4.0/extensions/.TARPIT-testx
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/.TARPIT-testx
+@@ -0,0 +1,2 @@
++#! /bin/sh
++[ -f "$KERNEL_DIR/net/netfilter/xt_TARPIT.c" ] && echo "TARPIT"
-#
+#
# Copyright (C) 2006 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
define KernelPackage/ipt-conntrack/description
Netfilter (IPv4) kernel modules for connection tracking
- Includes:
- - ipt_conntrack
- - ipt_helper
+ Includes:
+ - ipt_conntrack
+ - ipt_helper
- ipt_connmark/CONNMARK
endef
endef
define KernelPackage/ipt-filter/description
- Netfilter (IPv4) kernel modules for packet content inspection
- Includes:
- - ipt_ipp2p
+ Netfilter (IPv4) kernel modules for packet content inspection
+ Includes:
+ - ipt_ipp2p
- ipt_layer7
endef
endef
define KernelPackage/ipt-ipopt/description
- Netfilter (IPv4) modules for matching/changing IP packet options
- Includes:
- - ipt_CLASSIFY
- - ipt_dscp/DSCP
- - ipt_ecn/ECN
- - ipt_length
- - ipt_mac
- - ipt_tos/TOS
- - ipt_tcpmms
- - ipt_ttl/TTL
+ Netfilter (IPv4) modules for matching/changing IP packet options
+ Includes:
+ - ipt_CLASSIFY
+ - ipt_dscp/DSCP
+ - ipt_ecn/ECN
+ - ipt_length
+ - ipt_mac
+ - ipt_tos/TOS
+ - ipt_tcpmms
+ - ipt_ttl/TTL
- ipt_unclean
endef
endef
define KernelPackage/ipt-ipsec/description
- Netfilter (IPv4) modules for matching IPSec packets
- Includes:
- - ipt_ah
+ Netfilter (IPv4) modules for matching IPSec packets
+ Includes:
+ - ipt_ah
- ipt_esp
endef
endef
define KernelPackage/ipt-nat/description
- Netfilter (IPv4) modules for extra NAT targets
- Includes:
- - ipt_REDIRECT
+ Netfilter (IPv4) modules for extra NAT targets
+ Includes:
+ - ipt_REDIRECT
- ipt_NETMAP
endef
endef
define KernelPackage/ipt-nathelper/description
- Default Netfilter (IPv4) Conntrack and NAT helpers
- Includes:
- - ip_conntrack_ftp
- - ip_nat_ftp
- - ip_conntrack_irc
- - ip_nat_irc
+ Default Netfilter (IPv4) Conntrack and NAT helpers
+ Includes:
+ - ip_conntrack_ftp
+ - ip_nat_ftp
+ - ip_conntrack_irc
+ - ip_nat_irc
- ip_conntrack_tftp
endef
endef
define KernelPackage/ipt-nathelper-extra/description
- Extra Netfilter (IPv4) Conntrack and NAT helpers
- Includes:
- - ip_conntrack_amanda
- - ip_conntrack_proto_gre
- - ip_nat_proto_gre
- - ip_conntrack_pptp
- - ip_nat_pptp
- - ip_conntrack_sip
- - ip_nat_sip
+ Extra Netfilter (IPv4) Conntrack and NAT helpers
+ Includes:
+ - ip_conntrack_amanda
+ - ip_conntrack_proto_gre
+ - ip_nat_proto_gre
+ - ip_conntrack_pptp
+ - ip_nat_pptp
+ - ip_conntrack_sip
+ - ip_nat_sip
- ip_nat_snmp_basic
endef
endef
define KernelPackage/ipt-queue/description
- Netfilter (IPv4) module for user-space packet queueing
- Includes:
+ Netfilter (IPv4) module for user-space packet queueing
+ Includes:
- ipt_QUEUE
endef
endef
define KernelPackage/ipt-ulog/description
- Netfilter (IPv4) module for user-space packet logging
- Includes:
+ Netfilter (IPv4) module for user-space packet logging
+ Includes:
- ipt_ULOG
endef
endef
define KernelPackage/ipt-iprange/description
- Netfilter (IPv4) module for matching ip ranges
- Includes:
+ Netfilter (IPv4) module for matching ip ranges
+ Includes:
- ipt_IPRANGE
endef
define KernelPackage/ipt-ipset/description
Netfilter kernel modules for ipset
- Includes:
- - ip_set
- - ip_set_iphash
- - ip_set_ipmap
- - ip_set_ipporthash
- - ip_set_iptree
+ Includes:
+ - ip_set
+ - ip_set_iphash
+ - ip_set_ipmap
+ - ip_set_ipporthash
+ - ip_set_iptree
- ip_set_iptreemap
- - ip_set_macipmap
- - ip_set_nethash
- - ip_set_portmap
- - ipt_set
+ - ip_set_macipmap
+ - ip_set_nethash
+ - ip_set_portmap
+ - ipt_set
- ipt_SET
endef
define KernelPackage/ipt-extra/description
Other Netfilter (IPv4) kernel modules
- Includes:
- - ipt_limit
- - ipt_owner
- - ipt_physdev
- - ipt_pkttype
- - ipt_recent
- - iptable_raw
- - xt_NOTRACK
- - xt_TARPIT
- - xt_DELUDE
- - xt_CHAOS
+ Includes:
+ - ipt_limit
+ - ipt_owner
+ - ipt_physdev
+ - ipt_pkttype
+ - ipt_recent
+ - iptable_raw
+ - xt_NOTRACK
+ - xt_TARPIT
+ - xt_DELUDE
+ - xt_CHAOS
endef
$(eval $(call KernelPackage,ipt-extra))
define KernelPackage/ip6tables
SUBMENU:=$(NF_MENU)
TITLE:=IPv6 modules
+ DEPENDS:=+kmod-ipv6
KCONFIG:=CONFIG_IP6_NF_IPTABLES
FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX))
AUTOLOAD:=$(call AutoLoad,40,$(notdir $(IPT_IPV6-m)))
--- /dev/null
+Index: linux-2.4.35.4/Documentation/Configure.help
+===================================================================
+--- linux-2.4.35.4.orig/Documentation/Configure.help 2007-12-15 05:19:54.063501941 +0100
++++ linux-2.4.35.4/Documentation/Configure.help 2007-12-15 05:20:06.024183543 +0100
+@@ -29207,6 +29207,18 @@
+
+ If unsure, say N.
+
++CONFIG_IP_NF_MATCH_LAYER7
++ Say Y if you want to be able to classify connections (and their
++ packets) based on regular expression matching of their application
++ layer data. This is one way to classify applications such as
++ peer-to-peer filesharing systems that do not always use the same
++ port.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
++CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++ Say Y to get lots of debugging output.
++
+ #
+ # A couple of things I keep forgetting:
+ # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
+Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h
+===================================================================
+--- linux-2.4.35.4.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:19:38.358606970 +0100
++++ linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:20:06.024183543 +0100
+@@ -207,6 +207,17 @@
+ } nat;
+ #endif /* CONFIG_IP_NF_NAT_NEEDED */
+
++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++ struct {
++ unsigned int numpackets; /* surely this is kept track of somewhere else, right? I can't find it... */
++ char * app_proto; /* "http", "ftp", etc. NULL if unclassifed */
++
++ /* the application layer data so far. NULL if ->numpackets > numpackets */
++ char * app_data;
++
++ unsigned int app_data_len;
++ } layer7;
++#endif
+ };
+
+ /* get master conntrack via master expectation */
+Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h 2007-12-15 05:20:06.032183998 +0100
+@@ -0,0 +1,27 @@
++/*
++ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
++ http://l7-filter.sf.net
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++*/
++
++#ifndef _IPT_LAYER7_H
++#define _IPT_LAYER7_H
++
++#define MAX_PATTERN_LEN 8192
++#define MAX_PROTOCOL_LEN 256
++
++typedef char *(*proc_ipt_search) (char *, char, char *);
++
++struct ipt_layer7_info {
++ char protocol[MAX_PROTOCOL_LEN];
++ char pattern[MAX_PATTERN_LEN];
++ u_int8_t invert;
++ u_int8_t pkt;
++};
++
++#endif /* _IPT_LAYER7_H */
+Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
+===================================================================
+--- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in 2007-12-15 05:20:05.764168722 +0100
++++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2007-12-15 05:20:06.036184227 +0100
+@@ -44,6 +44,9 @@
+ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+ dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
++ dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK
++ dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7
++
+ fi
+ # The targets
+ dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES
+Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile 2007-12-15 05:20:05.764168722 +0100
++++ linux-2.4.35.4/net/ipv4/netfilter/Makefile 2007-12-15 05:20:06.036184227 +0100
+@@ -87,6 +87,7 @@
+ obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
+ obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
+ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
++obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
+
+ # targets
+ obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
+Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c
+===================================================================
+--- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:19:38.386608565 +0100
++++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:20:06.036184227 +0100
+@@ -346,6 +346,14 @@
+ }
+ kfree(ct->master);
+ }
++
++ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++ if(ct->layer7.app_proto)
++ kfree(ct->layer7.app_proto);
++ if(ct->layer7.app_data)
++ kfree(ct->layer7.app_data);
++ #endif
++
+ WRITE_UNLOCK(&ip_conntrack_lock);
+
+ if (master)
+Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c
+===================================================================
+--- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:19:38.394609023 +0100
++++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:20:06.036184227 +0100
+@@ -107,6 +107,13 @@
+ len += sprintf(buffer + len, "[ASSURED] ");
+ len += sprintf(buffer + len, "use=%u ",
+ atomic_read(&conntrack->ct_general.use));
++
++ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++ if(conntrack->layer7.app_proto)
++ len += sprintf(buffer + len, "l7proto=%s ",
++ conntrack->layer7.app_proto);
++ #endif
++
+ len += sprintf(buffer + len, "\n");
+
+ return len;
+Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c 2007-12-15 05:20:06.040184453 +0100
+@@ -0,0 +1,595 @@
++/*
++ Kernel module to match application layer (OSI layer 7)
++ data in connections.
++
++ http://l7-filter.sf.net
++
++ By Matthew Strait and Ethan Sommer, 2003-2005.
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++
++ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
++ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
++*/
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter_ipv4/ip_conntrack.h>
++#include <linux/proc_fs.h>
++#include <linux/ctype.h>
++#include <net/ip.h>
++#include <net/tcp.h>
++#include <linux/netfilter_ipv4/lockhelp.h>
++
++#include "regexp/regexp.c"
++
++#include <linux/netfilter_ipv4/ipt_layer7.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
++MODULE_LICENSE("GPL");
++MODULE_DESCRIPTION("iptables application layer match module");
++
++static int maxdatalen = 2048; // this is the default
++MODULE_PARM(maxdatalen,"i");
++MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter");
++
++#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG)
++ #define DPRINTK(format,args...) printk(format,##args)
++#else
++ #define DPRINTK(format,args...)
++#endif
++
++#define TOTAL_PACKETS master_conntrack->layer7.numpackets
++
++/* Number of packets whose data we look at.
++This can be modified through /proc/net/layer7_numpackets */
++static int num_packets = 10;
++
++static struct pattern_cache {
++ char * regex_string;
++ regexp * pattern;
++ struct pattern_cache * next;
++} * first_pattern_cache = NULL;
++
++/* I'm new to locking. Here are my assumptions:
++
++- No one will write to /proc/net/layer7_numpackets over and over very fast;
++ if they did, nothing awful would happen.
++
++- This code will never be processing the same packet twice at the same time,
++ because iptables rules are traversed in order.
++
++- It doesn't matter if two packets from different connections are in here at
++ the same time, because they don't share any data.
++
++- It _does_ matter if two packets from the same connection are here at the same
++ time. In this case, we have to protect the conntracks and the list of
++ compiled patterns.
++*/
++DECLARE_RWLOCK(ct_lock);
++DECLARE_LOCK(list_lock);
++
++#if CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++/* Converts an unfriendly string into a friendly one by
++replacing unprintables with periods and all whitespace with " ". */
++static char * friendly_print(unsigned char * s)
++{
++ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
++ int i;
++
++ if(!f) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n");
++ return NULL;
++ }
++
++ for(i = 0; i < strlen(s); i++){
++ if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
++ else if(isspace(s[i])) f[i] = ' ';
++ else f[i] = '.';
++ }
++ f[i] = '\0';
++ return f;
++}
++
++static char dec2hex(int i)
++{
++ switch (i) {
++ case 0 ... 9:
++ return (char)(i + '0');
++ break;
++ case 10 ... 15:
++ return (char)(i - 10 + 'a');
++ break;
++ default:
++ if (net_ratelimit())
++ printk("Problem in dec2hex\n");
++ return '\0';
++ }
++}
++
++static char * hex_print(unsigned char * s)
++{
++ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
++ int i;
++
++ if(!g) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n");
++ return NULL;
++ }
++
++ for(i = 0; i < strlen(s); i++) {
++ g[i*3 ] = dec2hex(s[i]/16);
++ g[i*3 + 1] = dec2hex(s[i]%16);
++ g[i*3 + 2] = ' ';
++ }
++ g[i*3] = '\0';
++
++ return g;
++}
++#endif // DEBUG
++
++/* Use instead of regcomp. As we expect to be seeing the same regexps over and
++over again, it make sense to cache the results. */
++static regexp * compile_and_cache(char * regex_string, char * protocol)
++{
++ struct pattern_cache * node = first_pattern_cache;
++ struct pattern_cache * last_pattern_cache = first_pattern_cache;
++ struct pattern_cache * tmp;
++ unsigned int len;
++
++ while (node != NULL) {
++ if (!strcmp(node->regex_string, regex_string))
++ return node->pattern;
++
++ last_pattern_cache = node;/* points at the last non-NULL node */
++ node = node->next;
++ }
++
++ /* If we reach the end of the list, then we have not yet cached
++ the pattern for this regex. Let's do that now.
++ Be paranoid about running out of memory to avoid list corruption. */
++ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
++
++ if(!tmp) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
++ return NULL;
++ }
++
++ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
++ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
++ tmp->next = NULL;
++
++ if(!tmp->regex_string || !tmp->pattern) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
++ kfree(tmp->regex_string);
++ kfree(tmp->pattern);
++ kfree(tmp);
++ return NULL;
++ }
++
++ /* Ok. The new node is all ready now. */
++ node = tmp;
++
++ if(first_pattern_cache == NULL) /* list is empty */
++ first_pattern_cache = node; /* make node the beginning */
++ else
++ last_pattern_cache->next = node; /* attach node to the end */
++
++ /* copy the string and compile the regex */
++ len = strlen(regex_string);
++ DPRINTK("About to compile this: \"%s\"\n", regex_string);
++ node->pattern = regcomp(regex_string, &len);
++ if ( !node->pattern ) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol);
++ /* pattern is now cached as NULL, so we won't try again. */
++ }
++
++ strcpy(node->regex_string, regex_string);
++ return node->pattern;
++}
++
++static int can_handle(const struct sk_buff *skb)
++{
++ if(!skb->nh.iph) /* not IP */
++ return 0;
++ if(skb->nh.iph->protocol != IPPROTO_TCP &&
++ skb->nh.iph->protocol != IPPROTO_UDP &&
++ skb->nh.iph->protocol != IPPROTO_ICMP)
++ return 0;
++ return 1;
++}
++
++/* Returns offset the into the skb->data that the application data starts */
++static int app_data_offset(const struct sk_buff *skb)
++{
++ /* In case we are ported somewhere (ebtables?) where skb->nh.iph
++ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
++ int ip_hl = 4*skb->nh.iph->ihl;
++
++ if( skb->nh.iph->protocol == IPPROTO_TCP ) {
++ /* 12 == offset into TCP header for the header length field.
++ Can't get this with skb->h.th->doff because the tcphdr
++ struct doesn't get set when routing (this is confirmed to be
++ true in Netfilter as well as QoS.) */
++ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
++
++ return ip_hl + tcp_hl;
++ } else if( skb->nh.iph->protocol == IPPROTO_UDP ) {
++ return ip_hl + 8; /* UDP header is always 8 bytes */
++ } else if( skb->nh.iph->protocol == IPPROTO_ICMP ) {
++ return ip_hl + 8; /* ICMP header is 8 bytes */
++ } else {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n");
++ return ip_hl + 8; /* something reasonable */
++ }
++}
++
++/* handles whether there's a match when we aren't appending data anymore */
++static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack,
++ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
++ struct ipt_layer7_info * info)
++{
++ /* If we're in here, throw the app data away */
++ WRITE_LOCK(&ct_lock);
++ if(master_conntrack->layer7.app_data != NULL) {
++
++ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++ if(!master_conntrack->layer7.app_proto) {
++ char * f = friendly_print(master_conntrack->layer7.app_data);
++ char * g = hex_print(master_conntrack->layer7.app_data);
++ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n",
++ strlen(f),
++ TOTAL_PACKETS, f);
++ kfree(f);
++ DPRINTK("In hex: %s\n", g);
++ kfree(g);
++ }
++ #endif
++
++ kfree(master_conntrack->layer7.app_data);
++ master_conntrack->layer7.app_data = NULL; /* don't free again */
++ }
++ WRITE_UNLOCK(&ct_lock);
++
++ if(master_conntrack->layer7.app_proto){
++ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */
++ WRITE_LOCK(&ct_lock);
++ if(!conntrack->layer7.app_proto) {
++ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC);
++ if(!conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
++ WRITE_UNLOCK(&ct_lock);
++ return 1;
++ }
++ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto);
++ }
++ WRITE_UNLOCK(&ct_lock);
++
++ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol));
++ }
++ else {
++ /* If not classified, set to "unknown" to distinguish from
++ connections that are still being tested. */
++ WRITE_LOCK(&ct_lock);
++ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
++ WRITE_UNLOCK(&ct_lock);
++ return 1;
++ }
++ strcpy(master_conntrack->layer7.app_proto, "unknown");
++ WRITE_UNLOCK(&ct_lock);
++ return 0;
++ }
++}
++
++static int add_datastr(char *target, int offset, char *app_data, int len)
++{
++ int length = 0, i;
++
++ /* Strip nulls. Make everything lower case (our regex lib doesn't
++ do case insensitivity). Add it to the end of the current data. */
++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
++ if(app_data[i] != '\0') {
++ target[length+offset] =
++ /* the kernel version of tolower mungs 'upper ascii' */
++ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
++ length++;
++ }
++ }
++
++ target[length+offset] = '\0';
++
++ return length;
++}
++
++/* add the new app data to the conntrack. Return number of bytes added. */
++static int add_data(struct ip_conntrack * master_conntrack,
++ char * app_data, int appdatalen)
++{
++ int length;
++
++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
++ master_conntrack->layer7.app_data_len += length;
++
++ return length;
++}
++
++/* Returns true on match and false otherwise. */
++static int match(/* const */struct sk_buff *skb, const struct net_device *in,
++ const struct net_device *out, const void *matchinfo,
++ int offset, int *hotdrop)
++{
++ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
++ enum ip_conntrack_info master_ctinfo, ctinfo;
++ struct ip_conntrack *master_conntrack, *conntrack;
++ unsigned char *app_data, *tmp_data;
++ unsigned int pattern_result, appdatalen;
++ regexp * comppattern;
++
++ if(!can_handle(skb)){
++ DPRINTK("layer7: This is some protocol I can't handle.\n");
++ return info->invert;
++ }
++
++ /* Treat the parent and all its children together as one connection,
++ except for the purpose of setting conntrack->layer7.app_proto in the
++ actual connection. This makes /proc/net/ip_conntrack somewhat more
++ satisfying. */
++ if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
++ !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
++ DPRINTK("layer7: packet is not from a known connection, giving up.\n");
++ return info->invert;
++ }
++
++ /* Try to get a master conntrack (and its master etc) for FTP, etc. */
++ while (master_ct(master_conntrack) != NULL)
++ master_conntrack = master_ct(master_conntrack);
++
++ if(!skb->cb[0]){
++ WRITE_LOCK(&ct_lock);
++ master_conntrack->layer7.numpackets++;/*starts at 0 via memset*/
++ WRITE_UNLOCK(&ct_lock);
++ }
++
++ /* if we've classified it or seen too many packets */
++ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
++ master_conntrack->layer7.app_proto)) {
++
++ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
++
++ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7
++ rules. I'm not sure that using cb for this purpose is correct, although
++ it says "put your private variables there". But it doesn't look like it
++ is being used for anything else in the skbs that make it here. How can
++ I write to cb without making the compiler angry? */
++ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
++
++ return (pattern_result ^ info->invert);
++ }
++
++ if(skb_is_nonlinear(skb)){
++ if(skb_linearize(skb, GFP_ATOMIC) != 0){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
++ return info->invert;
++ }
++ }
++
++ /* now that the skb is linearized, it's safe to set these. */
++ app_data = skb->data + app_data_offset(skb);
++ appdatalen = skb->tail - app_data;
++
++ LOCK_BH(&list_lock);
++ /* the return value gets checked later, when we're ready to use it */
++ comppattern = compile_and_cache(info->pattern, info->protocol);
++ UNLOCK_BH(&list_lock);
++
++ if (info->pkt) {
++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!tmp_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
++ return info->invert;
++ }
++
++ tmp_data[0] = '\0';
++ add_datastr(tmp_data, 0, app_data, appdatalen);
++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++ kfree(tmp_data);
++ tmp_data = NULL;
++
++ return (pattern_result ^ info->invert);
++ }
++
++ /* On the first packet of a connection, allocate space for app data */
++ WRITE_LOCK(&ct_lock);
++ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
++ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
++ WRITE_UNLOCK(&ct_lock);
++ return info->invert;
++ }
++
++ master_conntrack->layer7.app_data[0] = '\0';
++ }
++ WRITE_UNLOCK(&ct_lock);
++
++ /* Can be here, but unallocated, if numpackets is increased near
++ the beginning of a connection */
++ if(master_conntrack->layer7.app_data == NULL)
++ return (info->invert); /* unmatched */
++
++ if(!skb->cb[0]){
++ int newbytes;
++ WRITE_LOCK(&ct_lock);
++ newbytes = add_data(master_conntrack, app_data, appdatalen);
++ WRITE_UNLOCK(&ct_lock);
++
++ if(newbytes == 0) { /* didn't add any data */
++ skb->cb[0] = 1;
++ /* Didn't match before, not going to match now */
++ return info->invert;
++ }
++ }
++
++ /* If looking for "unknown", then never match. "Unknown" means that
++ we've given up; we're still trying with these packets. */
++ if(!strcmp(info->protocol, "unknown")) {
++ pattern_result = 0;
++ /* If the regexp failed to compile, don't bother running it */
++ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
++ DPRINTK("layer7: regexec positive: %s!\n", info->protocol);
++ pattern_result = 1;
++ } else pattern_result = 0;
++
++ if(pattern_result) {
++ WRITE_LOCK(&ct_lock);
++ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
++ WRITE_UNLOCK(&ct_lock);
++ return (pattern_result ^ info->invert);
++ }
++ strcpy(master_conntrack->layer7.app_proto, info->protocol);
++ WRITE_UNLOCK(&ct_lock);
++ }
++
++ /* mark the packet seen */
++ skb->cb[0] = 1;
++
++ return (pattern_result ^ info->invert);
++}
++
++static int checkentry(const char *tablename, const struct ipt_ip *ip,
++ void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
++{
++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_layer7_info)))
++ return 0;
++ return 1;
++}
++
++static struct ipt_match layer7_match = {
++ .name = "layer7",
++ .match = &match,
++ .checkentry = &checkentry,
++ .me = THIS_MODULE
++};
++
++/* taken from drivers/video/modedb.c */
++static int my_atoi(const char *s)
++{
++ int val = 0;
++
++ for (;; s++) {
++ switch (*s) {
++ case '0'...'9':
++ val = 10*val+(*s-'0');
++ break;
++ default:
++ return val;
++ }
++ }
++}
++
++/* write out num_packets to userland. */
++static int layer7_read_proc(char* page, char ** start, off_t off, int count,
++ int* eof, void * data)
++{
++ if(num_packets > 99 && net_ratelimit())
++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
++
++ page[0] = num_packets/10 + '0';
++ page[1] = num_packets%10 + '0';
++ page[2] = '\n';
++ page[3] = '\0';
++
++ *eof=1;
++
++ return 3;
++}
++
++/* Read in num_packets from userland */
++static int layer7_write_proc(struct file* file, const char* buffer,
++ unsigned long count, void *data)
++{
++ char * foo = kmalloc(count, GFP_ATOMIC);
++
++ if(!foo){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n");
++ return count;
++ }
++
++ copy_from_user(foo, buffer, count);
++
++ num_packets = my_atoi(foo);
++ kfree (foo);
++
++ /* This has an arbitrary limit to make the math easier. I'm lazy.
++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
++ if(num_packets > 99) {
++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
++ num_packets = 99;
++ } else if(num_packets < 1) {
++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
++ num_packets = 1;
++ }
++
++ return count;
++}
++
++/* register the proc file */
++static void layer7_init_proc(void)
++{
++ struct proc_dir_entry* entry;
++ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
++ entry->read_proc = layer7_read_proc;
++ entry->write_proc = layer7_write_proc;
++}
++
++static void layer7_cleanup_proc(void)
++{
++ remove_proc_entry("layer7_numpackets", proc_net);
++}
++
++static int __init init(void)
++{
++ layer7_init_proc();
++ if(maxdatalen < 1) {
++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
++ maxdatalen = 1;
++ }
++ /* This is not a hard limit. It's just here to prevent people from
++ bringing their slow machines to a grinding halt. */
++ else if(maxdatalen > 65536) {
++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
++ maxdatalen = 65536;
++ }
++ return ipt_register_match(&layer7_match);
++}
++
++static void __exit fini(void)
++{
++ layer7_cleanup_proc();
++ ipt_unregister_match(&layer7_match);
++}
++
++module_init(init);
++module_exit(fini);
+Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c 2007-12-15 05:20:06.040184453 +0100
+@@ -0,0 +1,1195 @@
++/*
++ * regcomp and regexec -- regsub and regerror are elsewhere
++ * @(#)regexp.c 1.3 of 18 April 87
++ *
++ * Copyright (c) 1986 by University of Toronto.
++ * Written by Henry Spencer. Not derived from licensed software.
++ *
++ * Permission is granted to anyone to use this software for any
++ * purpose on any computer system, and to redistribute it freely,
++ * subject to the following restrictions:
++ *
++ * 1. The author is not responsible for the consequences of use of
++ * this software, no matter how awful, even if they arise
++ * from defects in it.
++ *
++ * 2. The origin of this software must not be misrepresented, either
++ * by explicit claim or by omission.
++ *
++ * 3. Altered versions must be plainly marked as such, and must not
++ * be misrepresented as being the original software.
++ *
++ * Beware that some of this code is subtly aware of the way operator
++ * precedence is structured in regular expressions. Serious changes in
++ * regular-expression syntax might require a total rethink.
++ *
++ * This code was modified by Ethan Sommer to work within the kernel
++ * (it now uses kmalloc etc..)
++ *
++ * Modified slightly by Matthew Strait to use more modern C.
++ */
++
++#include "regexp.h"
++#include "regmagic.h"
++
++/* added by ethan and matt. Lets it work in both kernel and user space.
++(So iptables can use it, for instance.) Yea, it goes both ways... */
++#if __KERNEL__
++ #define malloc(foo) kmalloc(foo,GFP_ATOMIC)
++#else
++ #define printk(format,args...) printf(format,##args)
++#endif
++
++void regerror(char * s)
++{
++ printk("<3>Regexp: %s\n", s);
++ /* NOTREACHED */
++}
++
++/*
++ * The "internal use only" fields in regexp.h are present to pass info from
++ * compile to execute that permits the execute phase to run lots faster on
++ * simple cases. They are:
++ *
++ * regstart char that must begin a match; '\0' if none obvious
++ * reganch is the match anchored (at beginning-of-line only)?
++ * regmust string (pointer into program) that match must include, or NULL
++ * regmlen length of regmust string
++ *
++ * Regstart and reganch permit very fast decisions on suitable starting points
++ * for a match, cutting down the work a lot. Regmust permits fast rejection
++ * of lines that cannot possibly match. The regmust tests are costly enough
++ * that regcomp() supplies a regmust only if the r.e. contains something
++ * potentially expensive (at present, the only such thing detected is * or +
++ * at the start of the r.e., which can involve a lot of backup). Regmlen is
++ * supplied because the test in regexec() needs it and regcomp() is computing
++ * it anyway.
++ */
++
++/*
++ * Structure for regexp "program". This is essentially a linear encoding
++ * of a nondeterministic finite-state machine (aka syntax charts or
++ * "railroad normal form" in parsing technology). Each node is an opcode
++ * plus a "next" pointer, possibly plus an operand. "Next" pointers of
++ * all nodes except BRANCH implement concatenation; a "next" pointer with
++ * a BRANCH on both ends of it is connecting two alternatives. (Here we
++ * have one of the subtle syntax dependencies: an individual BRANCH (as
++ * opposed to a collection of them) is never concatenated with anything
++ * because of operator precedence.) The operand of some types of node is
++ * a literal string; for others, it is a node leading into a sub-FSM. In
++ * particular, the operand of a BRANCH node is the first node of the branch.
++ * (NB this is *not* a tree structure: the tail of the branch connects
++ * to the thing following the set of BRANCHes.) The opcodes are:
++ */
++
++/* definition number opnd? meaning */
++#define END 0 /* no End of program. */
++#define BOL 1 /* no Match "" at beginning of line. */
++#define EOL 2 /* no Match "" at end of line. */
++#define ANY 3 /* no Match any one character. */
++#define ANYOF 4 /* str Match any character in this string. */
++#define ANYBUT 5 /* str Match any character not in this string. */
++#define BRANCH 6 /* node Match this alternative, or the next... */
++#define BACK 7 /* no Match "", "next" ptr points backward. */
++#define EXACTLY 8 /* str Match this string. */
++#define NOTHING 9 /* no Match empty string. */
++#define STAR 10 /* node Match this (simple) thing 0 or more times. */
++#define PLUS 11 /* node Match this (simple) thing 1 or more times. */
++#define OPEN 20 /* no Mark this point in input as start of #n. */
++ /* OPEN+1 is number 1, etc. */
++#define CLOSE 30 /* no Analogous to OPEN. */
++
++/*
++ * Opcode notes:
++ *
++ * BRANCH The set of branches constituting a single choice are hooked
++ * together with their "next" pointers, since precedence prevents
++ * anything being concatenated to any individual branch. The
++ * "next" pointer of the last BRANCH in a choice points to the
++ * thing following the whole choice. This is also where the
++ * final "next" pointer of each individual branch points; each
++ * branch starts with the operand node of a BRANCH node.
++ *
++ * BACK Normal "next" pointers all implicitly point forward; BACK
++ * exists to make loop structures possible.
++ *
++ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular
++ * BRANCH structures using BACK. Simple cases (one character
++ * per match) are implemented with STAR and PLUS for speed
++ * and to minimize recursive plunges.
++ *
++ * OPEN,CLOSE ...are numbered at compile time.
++ */
++
++/*
++ * A node is one char of opcode followed by two chars of "next" pointer.
++ * "Next" pointers are stored as two 8-bit pieces, high order first. The
++ * value is a positive offset from the opcode of the node containing it.
++ * An operand, if any, simply follows the node. (Note that much of the
++ * code generation knows about this implicit relationship.)
++ *
++ * Using two bytes for the "next" pointer is vast overkill for most things,
++ * but allows patterns to get big without disasters.
++ */
++#define OP(p) (*(p))
++#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377))
++#define OPERAND(p) ((p) + 3)
++
++/*
++ * See regmagic.h for one further detail of program structure.
++ */
++
++
++/*
++ * Utility definitions.
++ */
++#ifndef CHARBITS
++#define UCHARAT(p) ((int)*(unsigned char *)(p))
++#else
++#define UCHARAT(p) ((int)*(p)&CHARBITS)
++#endif
++
++#define FAIL(m) { regerror(m); return(NULL); }
++#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?')
++#define META "^$.[()|?+*\\"
++
++/*
++ * Flags to be passed up and down.
++ */
++#define HASWIDTH 01 /* Known never to match null string. */
++#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */
++#define SPSTART 04 /* Starts with * or +. */
++#define WORST 0 /* Worst case. */
++
++/*
++ * Global work variables for regcomp().
++ */
++static char *regparse; /* Input-scan pointer. */
++static int regnpar; /* () count. */
++static char regdummy;
++static char *regcode; /* Code-emit pointer; ®dummy = don't. */
++static long regsize; /* Code size. */
++
++/*
++ * Forward declarations for regcomp()'s friends.
++ */
++#ifndef STATIC
++#define STATIC static
++#endif
++STATIC char *reg(int paren,int *flagp);
++STATIC char *regbranch(int *flagp);
++STATIC char *regpiece(int *flagp);
++STATIC char *regatom(int *flagp);
++STATIC char *regnode(char op);
++STATIC char *regnext(char *p);
++STATIC void regc(char b);
++STATIC void reginsert(char op, char *opnd);
++STATIC void regtail(char *p, char *val);
++STATIC void regoptail(char *p, char *val);
++
++
++__kernel_size_t my_strcspn(const char *s1,const char *s2)
++{
++ char *scan1;
++ char *scan2;
++ int count;
++
++ count = 0;
++ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) {
++ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */
++ if (*scan1 == *scan2++)
++ return(count);
++ count++;
++ }
++ return(count);
++}
++
++/*
++ - regcomp - compile a regular expression into internal code
++ *
++ * We can't allocate space until we know how big the compiled form will be,
++ * but we can't compile it (and thus know how big it is) until we've got a
++ * place to put the code. So we cheat: we compile it twice, once with code
++ * generation turned off and size counting turned on, and once "for real".
++ * This also means that we don't allocate space until we are sure that the
++ * thing really will compile successfully, and we never have to move the
++ * code and thus invalidate pointers into it. (Note that it has to be in
++ * one piece because free() must be able to free it all.)
++ *
++ * Beware that the optimization-preparation code in here knows about some
++ * of the structure of the compiled regexp.
++ */
++regexp *
++regcomp(char *exp,int *patternsize)
++{
++ register regexp *r;
++ register char *scan;
++ register char *longest;
++ register int len;
++ int flags;
++ /* commented out by ethan
++ extern char *malloc();
++ */
++
++ if (exp == NULL)
++ FAIL("NULL argument");
++
++ /* First pass: determine size, legality. */
++ regparse = exp;
++ regnpar = 1;
++ regsize = 0L;
++ regcode = ®dummy;
++ regc(MAGIC);
++ if (reg(0, &flags) == NULL)
++ return(NULL);
++
++ /* Small enough for pointer-storage convention? */
++ if (regsize >= 32767L) /* Probably could be 65535L. */
++ FAIL("regexp too big");
++
++ /* Allocate space. */
++ *patternsize=sizeof(regexp) + (unsigned)regsize;
++ r = (regexp *)malloc(sizeof(regexp) + (unsigned)regsize);
++ if (r == NULL)
++ FAIL("out of space");
++
++ /* Second pass: emit code. */
++ regparse = exp;
++ regnpar = 1;
++ regcode = r->program;
++ regc(MAGIC);
++ if (reg(0, &flags) == NULL)
++ return(NULL);
++
++ /* Dig out information for optimizations. */
++ r->regstart = '\0'; /* Worst-case defaults. */
++ r->reganch = 0;
++ r->regmust = NULL;
++ r->regmlen = 0;
++ scan = r->program+1; /* First BRANCH. */
++ if (OP(regnext(scan)) == END) { /* Only one top-level choice. */
++ scan = OPERAND(scan);
++
++ /* Starting-point info. */
++ if (OP(scan) == EXACTLY)
++ r->regstart = *OPERAND(scan);
++ else if (OP(scan) == BOL)
++ r->reganch++;
++
++ /*
++ * If there's something expensive in the r.e., find the
++ * longest literal string that must appear and make it the
++ * regmust. Resolve ties in favor of later strings, since
++ * the regstart check works with the beginning of the r.e.
++ * and avoiding duplication strengthens checking. Not a
++ * strong reason, but sufficient in the absence of others.
++ */
++ if (flags&SPSTART) {
++ longest = NULL;
++ len = 0;
++ for (; scan != NULL; scan = regnext(scan))
++ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) {
++ longest = OPERAND(scan);
++ len = strlen(OPERAND(scan));
++ }
++ r->regmust = longest;
++ r->regmlen = len;
++ }
++ }
++
++ return(r);
++}
++
++/*
++ - reg - regular expression, i.e. main body or parenthesized thing
++ *
++ * Caller must absorb opening parenthesis.
++ *
++ * Combining parenthesis handling with the base level of regular expression
++ * is a trifle forced, but the need to tie the tails of the branches to what
++ * follows makes it hard to avoid.
++ */
++static char *
++reg(int paren, int *flagp /* Parenthesized? */ )
++{
++ register char *ret;
++ register char *br;
++ register char *ender;
++ register int parno = 0; /* 0 makes gcc happy */
++ int flags;
++
++ *flagp = HASWIDTH; /* Tentatively. */
++
++ /* Make an OPEN node, if parenthesized. */
++ if (paren) {
++ if (regnpar >= NSUBEXP)
++ FAIL("too many ()");
++ parno = regnpar;
++ regnpar++;
++ ret = regnode(OPEN+parno);
++ } else
++ ret = NULL;
++
++ /* Pick up the branches, linking them together. */
++ br = regbranch(&flags);
++ if (br == NULL)
++ return(NULL);
++ if (ret != NULL)
++ regtail(ret, br); /* OPEN -> first. */
++ else
++ ret = br;
++ if (!(flags&HASWIDTH))
++ *flagp &= ~HASWIDTH;
++ *flagp |= flags&SPSTART;
++ while (*regparse == '|') {
++ regparse++;
++ br = regbranch(&flags);
++ if (br == NULL)
++ return(NULL);
++ regtail(ret, br); /* BRANCH -> BRANCH. */
++ if (!(flags&HASWIDTH))
++ *flagp &= ~HASWIDTH;
++ *flagp |= flags&SPSTART;
++ }
++
++ /* Make a closing node, and hook it on the end. */
++ ender = regnode((paren) ? CLOSE+parno : END);
++ regtail(ret, ender);
++
++ /* Hook the tails of the branches to the closing node. */
++ for (br = ret; br != NULL; br = regnext(br))
++ regoptail(br, ender);
++
++ /* Check for proper termination. */
++ if (paren && *regparse++ != ')') {
++ FAIL("unmatched ()");
++ } else if (!paren && *regparse != '\0') {
++ if (*regparse == ')') {
++ FAIL("unmatched ()");
++ } else
++ FAIL("junk on end"); /* "Can't happen". */
++ /* NOTREACHED */
++ }
++
++ return(ret);
++}
++
++/*
++ - regbranch - one alternative of an | operator
++ *
++ * Implements the concatenation operator.
++ */
++static char *
++regbranch(int *flagp)
++{
++ register char *ret;
++ register char *chain;
++ register char *latest;
++ int flags;
++
++ *flagp = WORST; /* Tentatively. */
++
++ ret = regnode(BRANCH);
++ chain = NULL;
++ while (*regparse != '\0' && *regparse != '|' && *regparse != ')') {
++ latest = regpiece(&flags);
++ if (latest == NULL)
++ return(NULL);
++ *flagp |= flags&HASWIDTH;
++ if (chain == NULL) /* First piece. */
++ *flagp |= flags&SPSTART;
++ else
++ regtail(chain, latest);
++ chain = latest;
++ }
++ if (chain == NULL) /* Loop ran zero times. */
++ (void) regnode(NOTHING);
++
++ return(ret);
++}
++
++/*
++ - regpiece - something followed by possible [*+?]
++ *
++ * Note that the branching code sequences used for ? and the general cases
++ * of * and + are somewhat optimized: they use the same NOTHING node as
++ * both the endmarker for their branch list and the body of the last branch.
++ * It might seem that this node could be dispensed with entirely, but the
++ * endmarker role is not redundant.
++ */
++static char *
++regpiece(int *flagp)
++{
++ register char *ret;
++ register char op;
++ register char *next;
++ int flags;
++
++ ret = regatom(&flags);
++ if (ret == NULL)
++ return(NULL);
++
++ op = *regparse;
++ if (!ISMULT(op)) {
++ *flagp = flags;
++ return(ret);
++ }
++
++ if (!(flags&HASWIDTH) && op != '?')
++ FAIL("*+ operand could be empty");
++ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH);
++
++ if (op == '*' && (flags&SIMPLE))
++ reginsert(STAR, ret);
++ else if (op == '*') {
++ /* Emit x* as (x&|), where & means "self". */
++ reginsert(BRANCH, ret); /* Either x */
++ regoptail(ret, regnode(BACK)); /* and loop */
++ regoptail(ret, ret); /* back */
++ regtail(ret, regnode(BRANCH)); /* or */
++ regtail(ret, regnode(NOTHING)); /* null. */
++ } else if (op == '+' && (flags&SIMPLE))
++ reginsert(PLUS, ret);
++ else if (op == '+') {
++ /* Emit x+ as x(&|), where & means "self". */
++ next = regnode(BRANCH); /* Either */
++ regtail(ret, next);
++ regtail(regnode(BACK), ret); /* loop back */
++ regtail(next, regnode(BRANCH)); /* or */
++ regtail(ret, regnode(NOTHING)); /* null. */
++ } else if (op == '?') {
++ /* Emit x? as (x|) */
++ reginsert(BRANCH, ret); /* Either x */
++ regtail(ret, regnode(BRANCH)); /* or */
++ next = regnode(NOTHING); /* null. */
++ regtail(ret, next);
++ regoptail(ret, next);
++ }
++ regparse++;
++ if (ISMULT(*regparse))
++ FAIL("nested *?+");
++
++ return(ret);
++}
++
++/*
++ - regatom - the lowest level
++ *
++ * Optimization: gobbles an entire sequence of ordinary characters so that
++ * it can turn them into a single node, which is smaller to store and
++ * faster to run. Backslashed characters are exceptions, each becoming a
++ * separate node; the code is simpler that way and it's not worth fixing.
++ */
++static char *
++regatom(int *flagp)
++{
++ register char *ret;
++ int flags;
++
++ *flagp = WORST; /* Tentatively. */
++
++ switch (*regparse++) {
++ case '^':
++ ret = regnode(BOL);
++ break;
++ case '$':
++ ret = regnode(EOL);
++ break;
++ case '.':
++ ret = regnode(ANY);
++ *flagp |= HASWIDTH|SIMPLE;
++ break;
++ case '[': {
++ register int class;
++ register int classend;
++
++ if (*regparse == '^') { /* Complement of range. */
++ ret = regnode(ANYBUT);
++ regparse++;
++ } else
++ ret = regnode(ANYOF);
++ if (*regparse == ']' || *regparse == '-')
++ regc(*regparse++);
++ while (*regparse != '\0' && *regparse != ']') {
++ if (*regparse == '-') {
++ regparse++;
++ if (*regparse == ']' || *regparse == '\0')
++ regc('-');
++ else {
++ class = UCHARAT(regparse-2)+1;
++ classend = UCHARAT(regparse);
++ if (class > classend+1)
++ FAIL("invalid [] range");
++ for (; class <= classend; class++)
++ regc(class);
++ regparse++;
++ }
++ } else
++ regc(*regparse++);
++ }
++ regc('\0');
++ if (*regparse != ']')
++ FAIL("unmatched []");
++ regparse++;
++ *flagp |= HASWIDTH|SIMPLE;
++ }
++ break;
++ case '(':
++ ret = reg(1, &flags);
++ if (ret == NULL)
++ return(NULL);
++ *flagp |= flags&(HASWIDTH|SPSTART);
++ break;
++ case '\0':
++ case '|':
++ case ')':
++ FAIL("internal urp"); /* Supposed to be caught earlier. */
++ break;
++ case '?':
++ case '+':
++ case '*':
++ FAIL("?+* follows nothing");
++ break;
++ case '\\':
++ if (*regparse == '\0')
++ FAIL("trailing \\");
++ ret = regnode(EXACTLY);
++ regc(*regparse++);
++ regc('\0');
++ *flagp |= HASWIDTH|SIMPLE;
++ break;
++ default: {
++ register int len;
++ register char ender;
++
++ regparse--;
++ len = my_strcspn((const char *)regparse, (const char *)META);
++ if (len <= 0)
++ FAIL("internal disaster");
++ ender = *(regparse+len);
++ if (len > 1 && ISMULT(ender))
++ len--; /* Back off clear of ?+* operand. */
++ *flagp |= HASWIDTH;
++ if (len == 1)
++ *flagp |= SIMPLE;
++ ret = regnode(EXACTLY);
++ while (len > 0) {
++ regc(*regparse++);
++ len--;
++ }
++ regc('\0');
++ }
++ break;
++ }
++
++ return(ret);
++}
++
++/*
++ - regnode - emit a node
++ */
++static char * /* Location. */
++regnode(char op)
++{
++ register char *ret;
++ register char *ptr;
++
++ ret = regcode;
++ if (ret == ®dummy) {
++ regsize += 3;
++ return(ret);
++ }
++
++ ptr = ret;
++ *ptr++ = op;
++ *ptr++ = '\0'; /* Null "next" pointer. */
++ *ptr++ = '\0';
++ regcode = ptr;
++
++ return(ret);
++}
++
++/*
++ - regc - emit (if appropriate) a byte of code
++ */
++static void
++regc(char b)
++{
++ if (regcode != ®dummy)
++ *regcode++ = b;
++ else
++ regsize++;
++}
++
++/*
++ - reginsert - insert an operator in front of already-emitted operand
++ *
++ * Means relocating the operand.
++ */
++static void
++reginsert(char op, char* opnd)
++{
++ register char *src;
++ register char *dst;
++ register char *place;
++
++ if (regcode == ®dummy) {
++ regsize += 3;
++ return;
++ }
++
++ src = regcode;
++ regcode += 3;
++ dst = regcode;
++ while (src > opnd)
++ *--dst = *--src;
++
++ place = opnd; /* Op node, where operand used to be. */
++ *place++ = op;
++ *place++ = '\0';
++ *place++ = '\0';
++}
++
++/*
++ - regtail - set the next-pointer at the end of a node chain
++ */
++static void
++regtail(char *p, char *val)
++{
++ register char *scan;
++ register char *temp;
++ register int offset;
++
++ if (p == ®dummy)
++ return;
++
++ /* Find last node. */
++ scan = p;
++ for (;;) {
++ temp = regnext(scan);
++ if (temp == NULL)
++ break;
++ scan = temp;
++ }
++
++ if (OP(scan) == BACK)
++ offset = scan - val;
++ else
++ offset = val - scan;
++ *(scan+1) = (offset>>8)&0377;
++ *(scan+2) = offset&0377;
++}
++
++/*
++ - regoptail - regtail on operand of first argument; nop if operandless
++ */
++static void
++regoptail(char *p, char *val)
++{
++ /* "Operandless" and "op != BRANCH" are synonymous in practice. */
++ if (p == NULL || p == ®dummy || OP(p) != BRANCH)
++ return;
++ regtail(OPERAND(p), val);
++}
++
++/*
++ * regexec and friends
++ */
++
++/*
++ * Global work variables for regexec().
++ */
++static char *reginput; /* String-input pointer. */
++static char *regbol; /* Beginning of input, for ^ check. */
++static char **regstartp; /* Pointer to startp array. */
++static char **regendp; /* Ditto for endp. */
++
++/*
++ * Forwards.
++ */
++STATIC int regtry(regexp *prog, char *string);
++STATIC int regmatch(char *prog);
++STATIC int regrepeat(char *p);
++
++#ifdef DEBUG
++int regnarrate = 0;
++void regdump();
++STATIC char *regprop(char *op);
++#endif
++
++/*
++ - regexec - match a regexp against a string
++ */
++int
++regexec(regexp *prog, char *string)
++{
++ register char *s;
++
++ /* Be paranoid... */
++ if (prog == NULL || string == NULL) {
++ printk("<3>Regexp: NULL parameter\n");
++ return(0);
++ }
++
++ /* Check validity of program. */
++ if (UCHARAT(prog->program) != MAGIC) {
++ printk("<3>Regexp: corrupted program\n");
++ return(0);
++ }
++
++ /* If there is a "must appear" string, look for it. */
++ if (prog->regmust != NULL) {
++ s = string;
++ while ((s = strchr(s, prog->regmust[0])) != NULL) {
++ if (strncmp(s, prog->regmust, prog->regmlen) == 0)
++ break; /* Found it. */
++ s++;
++ }
++ if (s == NULL) /* Not present. */
++ return(0);
++ }
++
++ /* Mark beginning of line for ^ . */
++ regbol = string;
++
++ /* Simplest case: anchored match need be tried only once. */
++ if (prog->reganch)
++ return(regtry(prog, string));
++
++ /* Messy cases: unanchored match. */
++ s = string;
++ if (prog->regstart != '\0')
++ /* We know what char it must start with. */
++ while ((s = strchr(s, prog->regstart)) != NULL) {
++ if (regtry(prog, s))
++ return(1);
++ s++;
++ }
++ else
++ /* We don't -- general case. */
++ do {
++ if (regtry(prog, s))
++ return(1);
++ } while (*s++ != '\0');
++
++ /* Failure. */
++ return(0);
++}
++
++/*
++ - regtry - try match at specific point
++ */
++static int /* 0 failure, 1 success */
++regtry(regexp *prog, char *string)
++{
++ register int i;
++ register char **sp;
++ register char **ep;
++
++ reginput = string;
++ regstartp = prog->startp;
++ regendp = prog->endp;
++
++ sp = prog->startp;
++ ep = prog->endp;
++ for (i = NSUBEXP; i > 0; i--) {
++ *sp++ = NULL;
++ *ep++ = NULL;
++ }
++ if (regmatch(prog->program + 1)) {
++ prog->startp[0] = string;
++ prog->endp[0] = reginput;
++ return(1);
++ } else
++ return(0);
++}
++
++/*
++ - regmatch - main matching routine
++ *
++ * Conceptually the strategy is simple: check to see whether the current
++ * node matches, call self recursively to see whether the rest matches,
++ * and then act accordingly. In practice we make some effort to avoid
++ * recursion, in particular by going through "ordinary" nodes (that don't
++ * need to know whether the rest of the match failed) by a loop instead of
++ * by recursion.
++ */
++static int /* 0 failure, 1 success */
++regmatch(char *prog)
++{
++ register char *scan = prog; /* Current node. */
++ char *next; /* Next node. */
++
++#ifdef DEBUG
++ if (scan != NULL && regnarrate)
++ fprintf(stderr, "%s(\n", regprop(scan));
++#endif
++ while (scan != NULL) {
++#ifdef DEBUG
++ if (regnarrate)
++ fprintf(stderr, "%s...\n", regprop(scan));
++#endif
++ next = regnext(scan);
++
++ switch (OP(scan)) {
++ case BOL:
++ if (reginput != regbol)
++ return(0);
++ break;
++ case EOL:
++ if (*reginput != '\0')
++ return(0);
++ break;
++ case ANY:
++ if (*reginput == '\0')
++ return(0);
++ reginput++;
++ break;
++ case EXACTLY: {
++ register int len;
++ register char *opnd;
++
++ opnd = OPERAND(scan);
++ /* Inline the first character, for speed. */
++ if (*opnd != *reginput)
++ return(0);
++ len = strlen(opnd);
++ if (len > 1 && strncmp(opnd, reginput, len) != 0)
++ return(0);
++ reginput += len;
++ }
++ break;
++ case ANYOF:
++ if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) == NULL)
++ return(0);
++ reginput++;
++ break;
++ case ANYBUT:
++ if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) != NULL)
++ return(0);
++ reginput++;
++ break;
++ case NOTHING:
++ case BACK:
++ break;
++ case OPEN+1:
++ case OPEN+2:
++ case OPEN+3:
++ case OPEN+4:
++ case OPEN+5:
++ case OPEN+6:
++ case OPEN+7:
++ case OPEN+8:
++ case OPEN+9: {
++ register int no;
++ register char *save;
++
++ no = OP(scan) - OPEN;
++ save = reginput;
++
++ if (regmatch(next)) {
++ /*
++ * Don't set startp if some later
++ * invocation of the same parentheses
++ * already has.
++ */
++ if (regstartp[no] == NULL)
++ regstartp[no] = save;
++ return(1);
++ } else
++ return(0);
++ }
++ break;
++ case CLOSE+1:
++ case CLOSE+2:
++ case CLOSE+3:
++ case CLOSE+4:
++ case CLOSE+5:
++ case CLOSE+6:
++ case CLOSE+7:
++ case CLOSE+8:
++ case CLOSE+9:
++ {
++ register int no;
++ register char *save;
++
++ no = OP(scan) - CLOSE;
++ save = reginput;
++
++ if (regmatch(next)) {
++ /*
++ * Don't set endp if some later
++ * invocation of the same parentheses
++ * already has.
++ */
++ if (regendp[no] == NULL)
++ regendp[no] = save;
++ return(1);
++ } else
++ return(0);
++ }
++ break;
++ case BRANCH: {
++ register char *save;
++
++ if (OP(next) != BRANCH) /* No choice. */
++ next = OPERAND(scan); /* Avoid recursion. */
++ else {
++ do {
++ save = reginput;
++ if (regmatch(OPERAND(scan)))
++ return(1);
++ reginput = save;
++ scan = regnext(scan);
++ } while (scan != NULL && OP(scan) == BRANCH);
++ return(0);
++ /* NOTREACHED */
++ }
++ }
++ break;
++ case STAR:
++ case PLUS: {
++ register char nextch;
++ register int no;
++ register char *save;
++ register int min;
++
++ /*
++ * Lookahead to avoid useless match attempts
++ * when we know what character comes next.
++ */
++ nextch = '\0';
++ if (OP(next) == EXACTLY)
++ nextch = *OPERAND(next);
++ min = (OP(scan) == STAR) ? 0 : 1;
++ save = reginput;
++ no = regrepeat(OPERAND(scan));
++ while (no >= min) {
++ /* If it could work, try it. */
++ if (nextch == '\0' || *reginput == nextch)
++ if (regmatch(next))
++ return(1);
++ /* Couldn't or didn't -- back up. */
++ no--;
++ reginput = save + no;
++ }
++ return(0);
++ }
++ break;
++ case END:
++ return(1); /* Success! */
++ break;
++ default:
++ printk("<3>Regexp: memory corruption\n");
++ return(0);
++ break;
++ }
++
++ scan = next;
++ }
++
++ /*
++ * We get here only if there's trouble -- normally "case END" is
++ * the terminating point.
++ */
++ printk("<3>Regexp: corrupted pointers\n");
++ return(0);
++}
++
++/*
++ - regrepeat - repeatedly match something simple, report how many
++ */
++static int
++regrepeat(char *p)
++{
++ register int count = 0;
++ register char *scan;
++ register char *opnd;
++
++ scan = reginput;
++ opnd = OPERAND(p);
++ switch (OP(p)) {
++ case ANY:
++ count = strlen(scan);
++ scan += count;
++ break;
++ case EXACTLY:
++ while (*opnd == *scan) {
++ count++;
++ scan++;
++ }
++ break;
++ case ANYOF:
++ while (*scan != '\0' && strchr(opnd, *scan) != NULL) {
++ count++;
++ scan++;
++ }
++ break;
++ case ANYBUT:
++ while (*scan != '\0' && strchr(opnd, *scan) == NULL) {
++ count++;
++ scan++;
++ }
++ break;
++ default: /* Oh dear. Called inappropriately. */
++ printk("<3>Regexp: internal foulup\n");
++ count = 0; /* Best compromise. */
++ break;
++ }
++ reginput = scan;
++
++ return(count);
++}
++
++/*
++ - regnext - dig the "next" pointer out of a node
++ */
++static char*
++regnext(char *p)
++{
++ register int offset;
++
++ if (p == ®dummy)
++ return(NULL);
++
++ offset = NEXT(p);
++ if (offset == 0)
++ return(NULL);
++
++ if (OP(p) == BACK)
++ return(p-offset);
++ else
++ return(p+offset);
++}
++
++#ifdef DEBUG
++
++STATIC char *regprop();
++
++/*
++ - regdump - dump a regexp onto stdout in vaguely comprehensible form
++ */
++void
++regdump(regexp *r)
++{
++ register char *s;
++ register char op = EXACTLY; /* Arbitrary non-END op. */
++ register char *next;
++ /* extern char *strchr(); */
++
++
++ s = r->program + 1;
++ while (op != END) { /* While that wasn't END last time... */
++ op = OP(s);
++ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */
++ next = regnext(s);
++ if (next == NULL) /* Next ptr. */
++ printf("(0)");
++ else
++ printf("(%d)", (s-r->program)+(next-s));
++ s += 3;
++ if (op == ANYOF || op == ANYBUT || op == EXACTLY) {
++ /* Literal string, where present. */
++ while (*s != '\0') {
++ putchar(*s);
++ s++;
++ }
++ s++;
++ }
++ putchar('\n');
++ }
++
++ /* Header fields of interest. */
++ if (r->regstart != '\0')
++ printf("start `%c' ", r->regstart);
++ if (r->reganch)
++ printf("anchored ");
++ if (r->regmust != NULL)
++ printf("must have \"%s\"", r->regmust);
++ printf("\n");
++}
++
++/*
++ - regprop - printable representation of opcode
++ */
++static char *
++regprop(char *op)
++{
++#define BUFLEN 50
++ register char *p;
++ static char buf[BUFLEN];
++
++ strcpy(buf, ":");
++
++ switch (OP(op)) {
++ case BOL:
++ p = "BOL";
++ break;
++ case EOL:
++ p = "EOL";
++ break;
++ case ANY:
++ p = "ANY";
++ break;
++ case ANYOF:
++ p = "ANYOF";
++ break;
++ case ANYBUT:
++ p = "ANYBUT";
++ break;
++ case BRANCH:
++ p = "BRANCH";
++ break;
++ case EXACTLY:
++ p = "EXACTLY";
++ break;
++ case NOTHING:
++ p = "NOTHING";
++ break;
++ case BACK:
++ p = "BACK";
++ break;
++ case END:
++ p = "END";
++ break;
++ case OPEN+1:
++ case OPEN+2:
++ case OPEN+3:
++ case OPEN+4:
++ case OPEN+5:
++ case OPEN+6:
++ case OPEN+7:
++ case OPEN+8:
++ case OPEN+9:
++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN);
++ p = NULL;
++ break;
++ case CLOSE+1:
++ case CLOSE+2:
++ case CLOSE+3:
++ case CLOSE+4:
++ case CLOSE+5:
++ case CLOSE+6:
++ case CLOSE+7:
++ case CLOSE+8:
++ case CLOSE+9:
++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE);
++ p = NULL;
++ break;
++ case STAR:
++ p = "STAR";
++ break;
++ case PLUS:
++ p = "PLUS";
++ break;
++ default:
++ printk("<3>Regexp: corrupted opcode\n");
++ break;
++ }
++ if (p != NULL)
++ strncat(buf, p, BUFLEN-strlen(buf));
++ return(buf);
++}
++#endif
++
++
+Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h 2007-12-15 05:20:06.040184453 +0100
+@@ -0,0 +1,40 @@
++/*
++ * Definitions etc. for regexp(3) routines.
++ *
++ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof],
++ * not the System V one.
++ */
++
++#ifndef REGEXP_H
++#define REGEXP_H
++
++/*
++http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h ,
++which contains a version of this library, says:
++
++ *
++ * NSUBEXP must be at least 10, and no greater than 117 or the parser
++ * will not work properly.
++ *
++
++However, it looks rather like this library is limited to 10. If you think
++otherwise, let us know.
++*/
++
++#define NSUBEXP 10
++typedef struct regexp {
++ char *startp[NSUBEXP];
++ char *endp[NSUBEXP];
++ char regstart; /* Internal use only. */
++ char reganch; /* Internal use only. */
++ char *regmust; /* Internal use only. */
++ int regmlen; /* Internal use only. */
++ char program[1]; /* Unwarranted chumminess with compiler. */
++} regexp;
++
++regexp * regcomp(char *exp, int *patternsize);
++int regexec(regexp *prog, char *string);
++void regsub(regexp *prog, char *source, char *dest);
++void regerror(char *s);
++
++#endif
+Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h 2007-12-15 05:20:06.040184453 +0100
+@@ -0,0 +1,5 @@
++/*
++ * The first byte of the regexp internal "program" is actually this magic
++ * number; the start node begins in the second byte.
++ */
++#define MAGIC 0234
+Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c 2007-12-15 05:20:06.044184683 +0100
+@@ -0,0 +1,95 @@
++/*
++ * regsub
++ * @(#)regsub.c 1.3 of 2 April 86
++ *
++ * Copyright (c) 1986 by University of Toronto.
++ * Written by Henry Spencer. Not derived from licensed software.
++ *
++ * Permission is granted to anyone to use this software for any
++ * purpose on any computer system, and to redistribute it freely,
++ * subject to the following restrictions:
++ *
++ * 1. The author is not responsible for the consequences of use of
++ * this software, no matter how awful, even if they arise
++ * from defects in it.
++ *
++ * 2. The origin of this software must not be misrepresented, either
++ * by explicit claim or by omission.
++ *
++ * 3. Altered versions must be plainly marked as such, and must not
++ * be misrepresented as being the original software.
++ *
++ *
++ * This code was modified by Ethan Sommer to work within the kernel
++ * (it now uses kmalloc etc..)
++ *
++ */
++#include "regexp.h"
++#include "regmagic.h"
++#include <linux/string.h>
++
++
++#ifndef CHARBITS
++#define UCHARAT(p) ((int)*(unsigned char *)(p))
++#else
++#define UCHARAT(p) ((int)*(p)&CHARBITS)
++#endif
++
++#if 0
++//void regerror(char * s)
++//{
++// printk("regexp(3): %s", s);
++// /* NOTREACHED */
++//}
++#endif
++
++/*
++ - regsub - perform substitutions after a regexp match
++ */
++void
++regsub(regexp * prog, char * source, char * dest)
++{
++ register char *src;
++ register char *dst;
++ register char c;
++ register int no;
++ register int len;
++
++ /* Not necessary and gcc doesn't like it -MLS */
++ /*extern char *strncpy();*/
++
++ if (prog == NULL || source == NULL || dest == NULL) {
++ regerror("NULL parm to regsub");
++ return;
++ }
++ if (UCHARAT(prog->program) != MAGIC) {
++ regerror("damaged regexp fed to regsub");
++ return;
++ }
++
++ src = source;
++ dst = dest;
++ while ((c = *src++) != '\0') {
++ if (c == '&')
++ no = 0;
++ else if (c == '\\' && '0' <= *src && *src <= '9')
++ no = *src++ - '0';
++ else
++ no = -1;
++
++ if (no < 0) { /* Ordinary character. */
++ if (c == '\\' && (*src == '\\' || *src == '&'))
++ c = *src++;
++ *dst++ = c;
++ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) {
++ len = prog->endp[no] - prog->startp[no];
++ (void) strncpy(dst, prog->startp[no], len);
++ dst += len;
++ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */
++ regerror("damaged match string");
++ return;
++ }
++ }
++ }
++ *dst++ = '\0';
++}
+++ /dev/null
-Index: linux-2.4.35.4/Documentation/Configure.help
-===================================================================
---- linux-2.4.35.4.orig/Documentation/Configure.help 2007-12-15 05:19:54.063501941 +0100
-+++ linux-2.4.35.4/Documentation/Configure.help 2007-12-15 05:20:06.024183543 +0100
-@@ -29207,6 +29207,18 @@
-
- If unsure, say N.
-
-+CONFIG_IP_NF_MATCH_LAYER7
-+ Say Y if you want to be able to classify connections (and their
-+ packets) based on regular expression matching of their application
-+ layer data. This is one way to classify applications such as
-+ peer-to-peer filesharing systems that do not always use the same
-+ port.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
-+CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+ Say Y to get lots of debugging output.
-+
- #
- # A couple of things I keep forgetting:
- # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
-Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h
-===================================================================
---- linux-2.4.35.4.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:19:38.358606970 +0100
-+++ linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:20:06.024183543 +0100
-@@ -207,6 +207,17 @@
- } nat;
- #endif /* CONFIG_IP_NF_NAT_NEEDED */
-
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ struct {
-+ unsigned int numpackets; /* surely this is kept track of somewhere else, right? I can't find it... */
-+ char * app_proto; /* "http", "ftp", etc. NULL if unclassifed */
-+
-+ /* the application layer data so far. NULL if ->numpackets > numpackets */
-+ char * app_data;
-+
-+ unsigned int app_data_len;
-+ } layer7;
-+#endif
- };
-
- /* get master conntrack via master expectation */
-Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h 2007-12-15 05:20:06.032183998 +0100
-@@ -0,0 +1,27 @@
-+/*
-+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#ifndef _IPT_LAYER7_H
-+#define _IPT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
-+
-+typedef char *(*proc_ipt_search) (char *, char, char *);
-+
-+struct ipt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
-+ char pattern[MAX_PATTERN_LEN];
-+ char pkt;
-+};
-+
-+#endif /* _IPT_LAYER7_H */
-Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
-===================================================================
---- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in 2007-12-15 05:20:05.764168722 +0100
-+++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2007-12-15 05:20:06.036184227 +0100
-@@ -44,6 +44,9 @@
- if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
- dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
- dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
-+ dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK
-+ dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7
-+
- fi
- # The targets
- dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES
-Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
-===================================================================
---- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile 2007-12-15 05:20:05.764168722 +0100
-+++ linux-2.4.35.4/net/ipv4/netfilter/Makefile 2007-12-15 05:20:06.036184227 +0100
-@@ -87,6 +87,7 @@
- obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
- obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
- obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
-+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
-
- # targets
- obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
-Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c
-===================================================================
---- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:19:38.386608565 +0100
-+++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:20:06.036184227 +0100
-@@ -346,6 +346,14 @@
- }
- kfree(ct->master);
- }
-+
-+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(ct->layer7.app_proto)
-+ kfree(ct->layer7.app_proto);
-+ if(ct->layer7.app_data)
-+ kfree(ct->layer7.app_data);
-+ #endif
-+
- WRITE_UNLOCK(&ip_conntrack_lock);
-
- if (master)
-Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c
-===================================================================
---- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:19:38.394609023 +0100
-+++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:20:06.036184227 +0100
-@@ -107,6 +107,13 @@
- len += sprintf(buffer + len, "[ASSURED] ");
- len += sprintf(buffer + len, "use=%u ",
- atomic_read(&conntrack->ct_general.use));
-+
-+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(conntrack->layer7.app_proto)
-+ len += sprintf(buffer + len, "l7proto=%s ",
-+ conntrack->layer7.app_proto);
-+ #endif
-+
- len += sprintf(buffer + len, "\n");
-
- return len;
-Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c 2007-12-15 05:20:06.040184453 +0100
-@@ -0,0 +1,595 @@
-+/*
-+ Kernel module to match application layer (OSI layer 7)
-+ data in connections.
-+
-+ http://l7-filter.sf.net
-+
-+ By Matthew Strait and Ethan Sommer, 2003-2005.
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+
-+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
-+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
-+*/
-+
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/netfilter_ipv4/ip_conntrack.h>
-+#include <linux/proc_fs.h>
-+#include <linux/ctype.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <linux/netfilter_ipv4/lockhelp.h>
-+
-+#include "regexp/regexp.c"
-+
-+#include <linux/netfilter_ipv4/ipt_layer7.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+
-+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
-+MODULE_LICENSE("GPL");
-+MODULE_DESCRIPTION("iptables application layer match module");
-+
-+static int maxdatalen = 2048; // this is the default
-+MODULE_PARM(maxdatalen,"i");
-+MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter");
-+
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG)
-+ #define DPRINTK(format,args...) printk(format,##args)
-+#else
-+ #define DPRINTK(format,args...)
-+#endif
-+
-+#define TOTAL_PACKETS master_conntrack->layer7.numpackets
-+
-+/* Number of packets whose data we look at.
-+This can be modified through /proc/net/layer7_numpackets */
-+static int num_packets = 10;
-+
-+static struct pattern_cache {
-+ char * regex_string;
-+ regexp * pattern;
-+ struct pattern_cache * next;
-+} * first_pattern_cache = NULL;
-+
-+/* I'm new to locking. Here are my assumptions:
-+
-+- No one will write to /proc/net/layer7_numpackets over and over very fast;
-+ if they did, nothing awful would happen.
-+
-+- This code will never be processing the same packet twice at the same time,
-+ because iptables rules are traversed in order.
-+
-+- It doesn't matter if two packets from different connections are in here at
-+ the same time, because they don't share any data.
-+
-+- It _does_ matter if two packets from the same connection are here at the same
-+ time. In this case, we have to protect the conntracks and the list of
-+ compiled patterns.
-+*/
-+DECLARE_RWLOCK(ct_lock);
-+DECLARE_LOCK(list_lock);
-+
-+#if CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+/* Converts an unfriendly string into a friendly one by
-+replacing unprintables with periods and all whitespace with " ". */
-+static char * friendly_print(unsigned char * s)
-+{
-+ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
-+ int i;
-+
-+ if(!f) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n");
-+ return NULL;
-+ }
-+
-+ for(i = 0; i < strlen(s); i++){
-+ if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
-+ else if(isspace(s[i])) f[i] = ' ';
-+ else f[i] = '.';
-+ }
-+ f[i] = '\0';
-+ return f;
-+}
-+
-+static char dec2hex(int i)
-+{
-+ switch (i) {
-+ case 0 ... 9:
-+ return (char)(i + '0');
-+ break;
-+ case 10 ... 15:
-+ return (char)(i - 10 + 'a');
-+ break;
-+ default:
-+ if (net_ratelimit())
-+ printk("Problem in dec2hex\n");
-+ return '\0';
-+ }
-+}
-+
-+static char * hex_print(unsigned char * s)
-+{
-+ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
-+ int i;
-+
-+ if(!g) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n");
-+ return NULL;
-+ }
-+
-+ for(i = 0; i < strlen(s); i++) {
-+ g[i*3 ] = dec2hex(s[i]/16);
-+ g[i*3 + 1] = dec2hex(s[i]%16);
-+ g[i*3 + 2] = ' ';
-+ }
-+ g[i*3] = '\0';
-+
-+ return g;
-+}
-+#endif // DEBUG
-+
-+/* Use instead of regcomp. As we expect to be seeing the same regexps over and
-+over again, it make sense to cache the results. */
-+static regexp * compile_and_cache(char * regex_string, char * protocol)
-+{
-+ struct pattern_cache * node = first_pattern_cache;
-+ struct pattern_cache * last_pattern_cache = first_pattern_cache;
-+ struct pattern_cache * tmp;
-+ unsigned int len;
-+
-+ while (node != NULL) {
-+ if (!strcmp(node->regex_string, regex_string))
-+ return node->pattern;
-+
-+ last_pattern_cache = node;/* points at the last non-NULL node */
-+ node = node->next;
-+ }
-+
-+ /* If we reach the end of the list, then we have not yet cached
-+ the pattern for this regex. Let's do that now.
-+ Be paranoid about running out of memory to avoid list corruption. */
-+ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
-+
-+ if(!tmp) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
-+ return NULL;
-+ }
-+
-+ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
-+ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
-+ tmp->next = NULL;
-+
-+ if(!tmp->regex_string || !tmp->pattern) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
-+ kfree(tmp->regex_string);
-+ kfree(tmp->pattern);
-+ kfree(tmp);
-+ return NULL;
-+ }
-+
-+ /* Ok. The new node is all ready now. */
-+ node = tmp;
-+
-+ if(first_pattern_cache == NULL) /* list is empty */
-+ first_pattern_cache = node; /* make node the beginning */
-+ else
-+ last_pattern_cache->next = node; /* attach node to the end */
-+
-+ /* copy the string and compile the regex */
-+ len = strlen(regex_string);
-+ DPRINTK("About to compile this: \"%s\"\n", regex_string);
-+ node->pattern = regcomp(regex_string, &len);
-+ if ( !node->pattern ) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol);
-+ /* pattern is now cached as NULL, so we won't try again. */
-+ }
-+
-+ strcpy(node->regex_string, regex_string);
-+ return node->pattern;
-+}
-+
-+static int can_handle(const struct sk_buff *skb)
-+{
-+ if(!skb->nh.iph) /* not IP */
-+ return 0;
-+ if(skb->nh.iph->protocol != IPPROTO_TCP &&
-+ skb->nh.iph->protocol != IPPROTO_UDP &&
-+ skb->nh.iph->protocol != IPPROTO_ICMP)
-+ return 0;
-+ return 1;
-+}
-+
-+/* Returns offset the into the skb->data that the application data starts */
-+static int app_data_offset(const struct sk_buff *skb)
-+{
-+ /* In case we are ported somewhere (ebtables?) where skb->nh.iph
-+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
-+ int ip_hl = 4*skb->nh.iph->ihl;
-+
-+ if( skb->nh.iph->protocol == IPPROTO_TCP ) {
-+ /* 12 == offset into TCP header for the header length field.
-+ Can't get this with skb->h.th->doff because the tcphdr
-+ struct doesn't get set when routing (this is confirmed to be
-+ true in Netfilter as well as QoS.) */
-+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
-+
-+ return ip_hl + tcp_hl;
-+ } else if( skb->nh.iph->protocol == IPPROTO_UDP ) {
-+ return ip_hl + 8; /* UDP header is always 8 bytes */
-+ } else if( skb->nh.iph->protocol == IPPROTO_ICMP ) {
-+ return ip_hl + 8; /* ICMP header is 8 bytes */
-+ } else {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n");
-+ return ip_hl + 8; /* something reasonable */
-+ }
-+}
-+
-+/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack,
-+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
-+ struct ipt_layer7_info * info)
-+{
-+ /* If we're in here, throw the app data away */
-+ WRITE_LOCK(&ct_lock);
-+ if(master_conntrack->layer7.app_data != NULL) {
-+
-+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+ if(!master_conntrack->layer7.app_proto) {
-+ char * f = friendly_print(master_conntrack->layer7.app_data);
-+ char * g = hex_print(master_conntrack->layer7.app_data);
-+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n",
-+ strlen(f),
-+ TOTAL_PACKETS, f);
-+ kfree(f);
-+ DPRINTK("In hex: %s\n", g);
-+ kfree(g);
-+ }
-+ #endif
-+
-+ kfree(master_conntrack->layer7.app_data);
-+ master_conntrack->layer7.app_data = NULL; /* don't free again */
-+ }
-+ WRITE_UNLOCK(&ct_lock);
-+
-+ if(master_conntrack->layer7.app_proto){
-+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */
-+ WRITE_LOCK(&ct_lock);
-+ if(!conntrack->layer7.app_proto) {
-+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC);
-+ if(!conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ WRITE_UNLOCK(&ct_lock);
-+ return 1;
-+ }
-+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto);
-+ }
-+ WRITE_UNLOCK(&ct_lock);
-+
-+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol));
-+ }
-+ else {
-+ /* If not classified, set to "unknown" to distinguish from
-+ connections that are still being tested. */
-+ WRITE_LOCK(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ WRITE_UNLOCK(&ct_lock);
-+ return 1;
-+ }
-+ strcpy(master_conntrack->layer7.app_proto, "unknown");
-+ WRITE_UNLOCK(&ct_lock);
-+ return 0;
-+ }
-+}
-+
-+static int add_datastr(char *target, int offset, char *app_data, int len)
-+{
-+ int length = 0, i;
-+
-+ /* Strip nulls. Make everything lower case (our regex lib doesn't
-+ do case insensitivity). Add it to the end of the current data. */
-+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
-+ if(app_data[i] != '\0') {
-+ target[length+offset] =
-+ /* the kernel version of tolower mungs 'upper ascii' */
-+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
-+ length++;
-+ }
-+ }
-+
-+ target[length+offset] = '\0';
-+
-+ return length;
-+}
-+
-+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
-+ char * app_data, int appdatalen)
-+{
-+ int length;
-+
-+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
-+ master_conntrack->layer7.app_data_len += length;
-+
-+ return length;
-+}
-+
-+/* Returns true on match and false otherwise. */
-+static int match(/* const */struct sk_buff *skb, const struct net_device *in,
-+ const struct net_device *out, const void *matchinfo,
-+ int offset, int *hotdrop)
-+{
-+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
-+ enum ip_conntrack_info master_ctinfo, ctinfo;
-+ struct ip_conntrack *master_conntrack, *conntrack;
-+ unsigned char *app_data, *tmp_data;
-+ unsigned int pattern_result, appdatalen;
-+ regexp * comppattern;
-+
-+ if(!can_handle(skb)){
-+ DPRINTK("layer7: This is some protocol I can't handle.\n");
-+ return info->invert;
-+ }
-+
-+ /* Treat the parent and all its children together as one connection,
-+ except for the purpose of setting conntrack->layer7.app_proto in the
-+ actual connection. This makes /proc/net/ip_conntrack somewhat more
-+ satisfying. */
-+ if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
-+ !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
-+ DPRINTK("layer7: packet is not from a known connection, giving up.\n");
-+ return info->invert;
-+ }
-+
-+ /* Try to get a master conntrack (and its master etc) for FTP, etc. */
-+ while (master_ct(master_conntrack) != NULL)
-+ master_conntrack = master_ct(master_conntrack);
-+
-+ if(!skb->cb[0]){
-+ WRITE_LOCK(&ct_lock);
-+ master_conntrack->layer7.numpackets++;/*starts at 0 via memset*/
-+ WRITE_UNLOCK(&ct_lock);
-+ }
-+
-+ /* if we've classified it or seen too many packets */
-+ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
-+ master_conntrack->layer7.app_proto)) {
-+
-+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
-+
-+ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7
-+ rules. I'm not sure that using cb for this purpose is correct, although
-+ it says "put your private variables there". But it doesn't look like it
-+ is being used for anything else in the skbs that make it here. How can
-+ I write to cb without making the compiler angry? */
-+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
-+
-+ return (pattern_result ^ info->invert);
-+ }
-+
-+ if(skb_is_nonlinear(skb)){
-+ if(skb_linearize(skb, GFP_ATOMIC) != 0){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
-+ return info->invert;
-+ }
-+ }
-+
-+ /* now that the skb is linearized, it's safe to set these. */
-+ app_data = skb->data + app_data_offset(skb);
-+ appdatalen = skb->tail - app_data;
-+
-+ LOCK_BH(&list_lock);
-+ /* the return value gets checked later, when we're ready to use it */
-+ comppattern = compile_and_cache(info->pattern, info->protocol);
-+ UNLOCK_BH(&list_lock);
-+
-+ if (info->pkt) {
-+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
-+ if(!tmp_data){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ return info->invert;
-+ }
-+
-+ tmp_data[0] = '\0';
-+ add_datastr(tmp_data, 0, app_data, appdatalen);
-+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
-+ kfree(tmp_data);
-+ tmp_data = NULL;
-+
-+ return (pattern_result ^ info->invert);
-+ }
-+
-+ /* On the first packet of a connection, allocate space for app data */
-+ WRITE_LOCK(&ct_lock);
-+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
-+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_data){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ WRITE_UNLOCK(&ct_lock);
-+ return info->invert;
-+ }
-+
-+ master_conntrack->layer7.app_data[0] = '\0';
-+ }
-+ WRITE_UNLOCK(&ct_lock);
-+
-+ /* Can be here, but unallocated, if numpackets is increased near
-+ the beginning of a connection */
-+ if(master_conntrack->layer7.app_data == NULL)
-+ return (info->invert); /* unmatched */
-+
-+ if(!skb->cb[0]){
-+ int newbytes;
-+ WRITE_LOCK(&ct_lock);
-+ newbytes = add_data(master_conntrack, app_data, appdatalen);
-+ WRITE_UNLOCK(&ct_lock);
-+
-+ if(newbytes == 0) { /* didn't add any data */
-+ skb->cb[0] = 1;
-+ /* Didn't match before, not going to match now */
-+ return info->invert;
-+ }
-+ }
-+
-+ /* If looking for "unknown", then never match. "Unknown" means that
-+ we've given up; we're still trying with these packets. */
-+ if(!strcmp(info->protocol, "unknown")) {
-+ pattern_result = 0;
-+ /* If the regexp failed to compile, don't bother running it */
-+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
-+ DPRINTK("layer7: regexec positive: %s!\n", info->protocol);
-+ pattern_result = 1;
-+ } else pattern_result = 0;
-+
-+ if(pattern_result) {
-+ WRITE_LOCK(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ WRITE_UNLOCK(&ct_lock);
-+ return (pattern_result ^ info->invert);
-+ }
-+ strcpy(master_conntrack->layer7.app_proto, info->protocol);
-+ WRITE_UNLOCK(&ct_lock);
-+ }
-+
-+ /* mark the packet seen */
-+ skb->cb[0] = 1;
-+
-+ return (pattern_result ^ info->invert);
-+}
-+
-+static int checkentry(const char *tablename, const struct ipt_ip *ip,
-+ void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
-+{
-+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_layer7_info)))
-+ return 0;
-+ return 1;
-+}
-+
-+static struct ipt_match layer7_match = {
-+ .name = "layer7",
-+ .match = &match,
-+ .checkentry = &checkentry,
-+ .me = THIS_MODULE
-+};
-+
-+/* taken from drivers/video/modedb.c */
-+static int my_atoi(const char *s)
-+{
-+ int val = 0;
-+
-+ for (;; s++) {
-+ switch (*s) {
-+ case '0'...'9':
-+ val = 10*val+(*s-'0');
-+ break;
-+ default:
-+ return val;
-+ }
-+ }
-+}
-+
-+/* write out num_packets to userland. */
-+static int layer7_read_proc(char* page, char ** start, off_t off, int count,
-+ int* eof, void * data)
-+{
-+ if(num_packets > 99 && net_ratelimit())
-+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
-+
-+ page[0] = num_packets/10 + '0';
-+ page[1] = num_packets%10 + '0';
-+ page[2] = '\n';
-+ page[3] = '\0';
-+
-+ *eof=1;
-+
-+ return 3;
-+}
-+
-+/* Read in num_packets from userland */
-+static int layer7_write_proc(struct file* file, const char* buffer,
-+ unsigned long count, void *data)
-+{
-+ char * foo = kmalloc(count, GFP_ATOMIC);
-+
-+ if(!foo){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n");
-+ return count;
-+ }
-+
-+ copy_from_user(foo, buffer, count);
-+
-+ num_packets = my_atoi(foo);
-+ kfree (foo);
-+
-+ /* This has an arbitrary limit to make the math easier. I'm lazy.
-+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
-+ if(num_packets > 99) {
-+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
-+ num_packets = 99;
-+ } else if(num_packets < 1) {
-+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
-+ num_packets = 1;
-+ }
-+
-+ return count;
-+}
-+
-+/* register the proc file */
-+static void layer7_init_proc(void)
-+{
-+ struct proc_dir_entry* entry;
-+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+ entry->read_proc = layer7_read_proc;
-+ entry->write_proc = layer7_write_proc;
-+}
-+
-+static void layer7_cleanup_proc(void)
-+{
-+ remove_proc_entry("layer7_numpackets", proc_net);
-+}
-+
-+static int __init init(void)
-+{
-+ layer7_init_proc();
-+ if(maxdatalen < 1) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
-+ maxdatalen = 1;
-+ }
-+ /* This is not a hard limit. It's just here to prevent people from
-+ bringing their slow machines to a grinding halt. */
-+ else if(maxdatalen > 65536) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
-+ maxdatalen = 65536;
-+ }
-+ return ipt_register_match(&layer7_match);
-+}
-+
-+static void __exit fini(void)
-+{
-+ layer7_cleanup_proc();
-+ ipt_unregister_match(&layer7_match);
-+}
-+
-+module_init(init);
-+module_exit(fini);
-Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c 2007-12-15 05:20:06.040184453 +0100
-@@ -0,0 +1,1195 @@
-+/*
-+ * regcomp and regexec -- regsub and regerror are elsewhere
-+ * @(#)regexp.c 1.3 of 18 April 87
-+ *
-+ * Copyright (c) 1986 by University of Toronto.
-+ * Written by Henry Spencer. Not derived from licensed software.
-+ *
-+ * Permission is granted to anyone to use this software for any
-+ * purpose on any computer system, and to redistribute it freely,
-+ * subject to the following restrictions:
-+ *
-+ * 1. The author is not responsible for the consequences of use of
-+ * this software, no matter how awful, even if they arise
-+ * from defects in it.
-+ *
-+ * 2. The origin of this software must not be misrepresented, either
-+ * by explicit claim or by omission.
-+ *
-+ * 3. Altered versions must be plainly marked as such, and must not
-+ * be misrepresented as being the original software.
-+ *
-+ * Beware that some of this code is subtly aware of the way operator
-+ * precedence is structured in regular expressions. Serious changes in
-+ * regular-expression syntax might require a total rethink.
-+ *
-+ * This code was modified by Ethan Sommer to work within the kernel
-+ * (it now uses kmalloc etc..)
-+ *
-+ * Modified slightly by Matthew Strait to use more modern C.
-+ */
-+
-+#include "regexp.h"
-+#include "regmagic.h"
-+
-+/* added by ethan and matt. Lets it work in both kernel and user space.
-+(So iptables can use it, for instance.) Yea, it goes both ways... */
-+#if __KERNEL__
-+ #define malloc(foo) kmalloc(foo,GFP_ATOMIC)
-+#else
-+ #define printk(format,args...) printf(format,##args)
-+#endif
-+
-+void regerror(char * s)
-+{
-+ printk("<3>Regexp: %s\n", s);
-+ /* NOTREACHED */
-+}
-+
-+/*
-+ * The "internal use only" fields in regexp.h are present to pass info from
-+ * compile to execute that permits the execute phase to run lots faster on
-+ * simple cases. They are:
-+ *
-+ * regstart char that must begin a match; '\0' if none obvious
-+ * reganch is the match anchored (at beginning-of-line only)?
-+ * regmust string (pointer into program) that match must include, or NULL
-+ * regmlen length of regmust string
-+ *
-+ * Regstart and reganch permit very fast decisions on suitable starting points
-+ * for a match, cutting down the work a lot. Regmust permits fast rejection
-+ * of lines that cannot possibly match. The regmust tests are costly enough
-+ * that regcomp() supplies a regmust only if the r.e. contains something
-+ * potentially expensive (at present, the only such thing detected is * or +
-+ * at the start of the r.e., which can involve a lot of backup). Regmlen is
-+ * supplied because the test in regexec() needs it and regcomp() is computing
-+ * it anyway.
-+ */
-+
-+/*
-+ * Structure for regexp "program". This is essentially a linear encoding
-+ * of a nondeterministic finite-state machine (aka syntax charts or
-+ * "railroad normal form" in parsing technology). Each node is an opcode
-+ * plus a "next" pointer, possibly plus an operand. "Next" pointers of
-+ * all nodes except BRANCH implement concatenation; a "next" pointer with
-+ * a BRANCH on both ends of it is connecting two alternatives. (Here we
-+ * have one of the subtle syntax dependencies: an individual BRANCH (as
-+ * opposed to a collection of them) is never concatenated with anything
-+ * because of operator precedence.) The operand of some types of node is
-+ * a literal string; for others, it is a node leading into a sub-FSM. In
-+ * particular, the operand of a BRANCH node is the first node of the branch.
-+ * (NB this is *not* a tree structure: the tail of the branch connects
-+ * to the thing following the set of BRANCHes.) The opcodes are:
-+ */
-+
-+/* definition number opnd? meaning */
-+#define END 0 /* no End of program. */
-+#define BOL 1 /* no Match "" at beginning of line. */
-+#define EOL 2 /* no Match "" at end of line. */
-+#define ANY 3 /* no Match any one character. */
-+#define ANYOF 4 /* str Match any character in this string. */
-+#define ANYBUT 5 /* str Match any character not in this string. */
-+#define BRANCH 6 /* node Match this alternative, or the next... */
-+#define BACK 7 /* no Match "", "next" ptr points backward. */
-+#define EXACTLY 8 /* str Match this string. */
-+#define NOTHING 9 /* no Match empty string. */
-+#define STAR 10 /* node Match this (simple) thing 0 or more times. */
-+#define PLUS 11 /* node Match this (simple) thing 1 or more times. */
-+#define OPEN 20 /* no Mark this point in input as start of #n. */
-+ /* OPEN+1 is number 1, etc. */
-+#define CLOSE 30 /* no Analogous to OPEN. */
-+
-+/*
-+ * Opcode notes:
-+ *
-+ * BRANCH The set of branches constituting a single choice are hooked
-+ * together with their "next" pointers, since precedence prevents
-+ * anything being concatenated to any individual branch. The
-+ * "next" pointer of the last BRANCH in a choice points to the
-+ * thing following the whole choice. This is also where the
-+ * final "next" pointer of each individual branch points; each
-+ * branch starts with the operand node of a BRANCH node.
-+ *
-+ * BACK Normal "next" pointers all implicitly point forward; BACK
-+ * exists to make loop structures possible.
-+ *
-+ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular
-+ * BRANCH structures using BACK. Simple cases (one character
-+ * per match) are implemented with STAR and PLUS for speed
-+ * and to minimize recursive plunges.
-+ *
-+ * OPEN,CLOSE ...are numbered at compile time.
-+ */
-+
-+/*
-+ * A node is one char of opcode followed by two chars of "next" pointer.
-+ * "Next" pointers are stored as two 8-bit pieces, high order first. The
-+ * value is a positive offset from the opcode of the node containing it.
-+ * An operand, if any, simply follows the node. (Note that much of the
-+ * code generation knows about this implicit relationship.)
-+ *
-+ * Using two bytes for the "next" pointer is vast overkill for most things,
-+ * but allows patterns to get big without disasters.
-+ */
-+#define OP(p) (*(p))
-+#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377))
-+#define OPERAND(p) ((p) + 3)
-+
-+/*
-+ * See regmagic.h for one further detail of program structure.
-+ */
-+
-+
-+/*
-+ * Utility definitions.
-+ */
-+#ifndef CHARBITS
-+#define UCHARAT(p) ((int)*(unsigned char *)(p))
-+#else
-+#define UCHARAT(p) ((int)*(p)&CHARBITS)
-+#endif
-+
-+#define FAIL(m) { regerror(m); return(NULL); }
-+#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?')
-+#define META "^$.[()|?+*\\"
-+
-+/*
-+ * Flags to be passed up and down.
-+ */
-+#define HASWIDTH 01 /* Known never to match null string. */
-+#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */
-+#define SPSTART 04 /* Starts with * or +. */
-+#define WORST 0 /* Worst case. */
-+
-+/*
-+ * Global work variables for regcomp().
-+ */
-+static char *regparse; /* Input-scan pointer. */
-+static int regnpar; /* () count. */
-+static char regdummy;
-+static char *regcode; /* Code-emit pointer; ®dummy = don't. */
-+static long regsize; /* Code size. */
-+
-+/*
-+ * Forward declarations for regcomp()'s friends.
-+ */
-+#ifndef STATIC
-+#define STATIC static
-+#endif
-+STATIC char *reg(int paren,int *flagp);
-+STATIC char *regbranch(int *flagp);
-+STATIC char *regpiece(int *flagp);
-+STATIC char *regatom(int *flagp);
-+STATIC char *regnode(char op);
-+STATIC char *regnext(char *p);
-+STATIC void regc(char b);
-+STATIC void reginsert(char op, char *opnd);
-+STATIC void regtail(char *p, char *val);
-+STATIC void regoptail(char *p, char *val);
-+
-+
-+__kernel_size_t my_strcspn(const char *s1,const char *s2)
-+{
-+ char *scan1;
-+ char *scan2;
-+ int count;
-+
-+ count = 0;
-+ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) {
-+ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */
-+ if (*scan1 == *scan2++)
-+ return(count);
-+ count++;
-+ }
-+ return(count);
-+}
-+
-+/*
-+ - regcomp - compile a regular expression into internal code
-+ *
-+ * We can't allocate space until we know how big the compiled form will be,
-+ * but we can't compile it (and thus know how big it is) until we've got a
-+ * place to put the code. So we cheat: we compile it twice, once with code
-+ * generation turned off and size counting turned on, and once "for real".
-+ * This also means that we don't allocate space until we are sure that the
-+ * thing really will compile successfully, and we never have to move the
-+ * code and thus invalidate pointers into it. (Note that it has to be in
-+ * one piece because free() must be able to free it all.)
-+ *
-+ * Beware that the optimization-preparation code in here knows about some
-+ * of the structure of the compiled regexp.
-+ */
-+regexp *
-+regcomp(char *exp,int *patternsize)
-+{
-+ register regexp *r;
-+ register char *scan;
-+ register char *longest;
-+ register int len;
-+ int flags;
-+ /* commented out by ethan
-+ extern char *malloc();
-+ */
-+
-+ if (exp == NULL)
-+ FAIL("NULL argument");
-+
-+ /* First pass: determine size, legality. */
-+ regparse = exp;
-+ regnpar = 1;
-+ regsize = 0L;
-+ regcode = ®dummy;
-+ regc(MAGIC);
-+ if (reg(0, &flags) == NULL)
-+ return(NULL);
-+
-+ /* Small enough for pointer-storage convention? */
-+ if (regsize >= 32767L) /* Probably could be 65535L. */
-+ FAIL("regexp too big");
-+
-+ /* Allocate space. */
-+ *patternsize=sizeof(regexp) + (unsigned)regsize;
-+ r = (regexp *)malloc(sizeof(regexp) + (unsigned)regsize);
-+ if (r == NULL)
-+ FAIL("out of space");
-+
-+ /* Second pass: emit code. */
-+ regparse = exp;
-+ regnpar = 1;
-+ regcode = r->program;
-+ regc(MAGIC);
-+ if (reg(0, &flags) == NULL)
-+ return(NULL);
-+
-+ /* Dig out information for optimizations. */
-+ r->regstart = '\0'; /* Worst-case defaults. */
-+ r->reganch = 0;
-+ r->regmust = NULL;
-+ r->regmlen = 0;
-+ scan = r->program+1; /* First BRANCH. */
-+ if (OP(regnext(scan)) == END) { /* Only one top-level choice. */
-+ scan = OPERAND(scan);
-+
-+ /* Starting-point info. */
-+ if (OP(scan) == EXACTLY)
-+ r->regstart = *OPERAND(scan);
-+ else if (OP(scan) == BOL)
-+ r->reganch++;
-+
-+ /*
-+ * If there's something expensive in the r.e., find the
-+ * longest literal string that must appear and make it the
-+ * regmust. Resolve ties in favor of later strings, since
-+ * the regstart check works with the beginning of the r.e.
-+ * and avoiding duplication strengthens checking. Not a
-+ * strong reason, but sufficient in the absence of others.
-+ */
-+ if (flags&SPSTART) {
-+ longest = NULL;
-+ len = 0;
-+ for (; scan != NULL; scan = regnext(scan))
-+ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) {
-+ longest = OPERAND(scan);
-+ len = strlen(OPERAND(scan));
-+ }
-+ r->regmust = longest;
-+ r->regmlen = len;
-+ }
-+ }
-+
-+ return(r);
-+}
-+
-+/*
-+ - reg - regular expression, i.e. main body or parenthesized thing
-+ *
-+ * Caller must absorb opening parenthesis.
-+ *
-+ * Combining parenthesis handling with the base level of regular expression
-+ * is a trifle forced, but the need to tie the tails of the branches to what
-+ * follows makes it hard to avoid.
-+ */
-+static char *
-+reg(int paren, int *flagp /* Parenthesized? */ )
-+{
-+ register char *ret;
-+ register char *br;
-+ register char *ender;
-+ register int parno = 0; /* 0 makes gcc happy */
-+ int flags;
-+
-+ *flagp = HASWIDTH; /* Tentatively. */
-+
-+ /* Make an OPEN node, if parenthesized. */
-+ if (paren) {
-+ if (regnpar >= NSUBEXP)
-+ FAIL("too many ()");
-+ parno = regnpar;
-+ regnpar++;
-+ ret = regnode(OPEN+parno);
-+ } else
-+ ret = NULL;
-+
-+ /* Pick up the branches, linking them together. */
-+ br = regbranch(&flags);
-+ if (br == NULL)
-+ return(NULL);
-+ if (ret != NULL)
-+ regtail(ret, br); /* OPEN -> first. */
-+ else
-+ ret = br;
-+ if (!(flags&HASWIDTH))
-+ *flagp &= ~HASWIDTH;
-+ *flagp |= flags&SPSTART;
-+ while (*regparse == '|') {
-+ regparse++;
-+ br = regbranch(&flags);
-+ if (br == NULL)
-+ return(NULL);
-+ regtail(ret, br); /* BRANCH -> BRANCH. */
-+ if (!(flags&HASWIDTH))
-+ *flagp &= ~HASWIDTH;
-+ *flagp |= flags&SPSTART;
-+ }
-+
-+ /* Make a closing node, and hook it on the end. */
-+ ender = regnode((paren) ? CLOSE+parno : END);
-+ regtail(ret, ender);
-+
-+ /* Hook the tails of the branches to the closing node. */
-+ for (br = ret; br != NULL; br = regnext(br))
-+ regoptail(br, ender);
-+
-+ /* Check for proper termination. */
-+ if (paren && *regparse++ != ')') {
-+ FAIL("unmatched ()");
-+ } else if (!paren && *regparse != '\0') {
-+ if (*regparse == ')') {
-+ FAIL("unmatched ()");
-+ } else
-+ FAIL("junk on end"); /* "Can't happen". */
-+ /* NOTREACHED */
-+ }
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regbranch - one alternative of an | operator
-+ *
-+ * Implements the concatenation operator.
-+ */
-+static char *
-+regbranch(int *flagp)
-+{
-+ register char *ret;
-+ register char *chain;
-+ register char *latest;
-+ int flags;
-+
-+ *flagp = WORST; /* Tentatively. */
-+
-+ ret = regnode(BRANCH);
-+ chain = NULL;
-+ while (*regparse != '\0' && *regparse != '|' && *regparse != ')') {
-+ latest = regpiece(&flags);
-+ if (latest == NULL)
-+ return(NULL);
-+ *flagp |= flags&HASWIDTH;
-+ if (chain == NULL) /* First piece. */
-+ *flagp |= flags&SPSTART;
-+ else
-+ regtail(chain, latest);
-+ chain = latest;
-+ }
-+ if (chain == NULL) /* Loop ran zero times. */
-+ (void) regnode(NOTHING);
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regpiece - something followed by possible [*+?]
-+ *
-+ * Note that the branching code sequences used for ? and the general cases
-+ * of * and + are somewhat optimized: they use the same NOTHING node as
-+ * both the endmarker for their branch list and the body of the last branch.
-+ * It might seem that this node could be dispensed with entirely, but the
-+ * endmarker role is not redundant.
-+ */
-+static char *
-+regpiece(int *flagp)
-+{
-+ register char *ret;
-+ register char op;
-+ register char *next;
-+ int flags;
-+
-+ ret = regatom(&flags);
-+ if (ret == NULL)
-+ return(NULL);
-+
-+ op = *regparse;
-+ if (!ISMULT(op)) {
-+ *flagp = flags;
-+ return(ret);
-+ }
-+
-+ if (!(flags&HASWIDTH) && op != '?')
-+ FAIL("*+ operand could be empty");
-+ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH);
-+
-+ if (op == '*' && (flags&SIMPLE))
-+ reginsert(STAR, ret);
-+ else if (op == '*') {
-+ /* Emit x* as (x&|), where & means "self". */
-+ reginsert(BRANCH, ret); /* Either x */
-+ regoptail(ret, regnode(BACK)); /* and loop */
-+ regoptail(ret, ret); /* back */
-+ regtail(ret, regnode(BRANCH)); /* or */
-+ regtail(ret, regnode(NOTHING)); /* null. */
-+ } else if (op == '+' && (flags&SIMPLE))
-+ reginsert(PLUS, ret);
-+ else if (op == '+') {
-+ /* Emit x+ as x(&|), where & means "self". */
-+ next = regnode(BRANCH); /* Either */
-+ regtail(ret, next);
-+ regtail(regnode(BACK), ret); /* loop back */
-+ regtail(next, regnode(BRANCH)); /* or */
-+ regtail(ret, regnode(NOTHING)); /* null. */
-+ } else if (op == '?') {
-+ /* Emit x? as (x|) */
-+ reginsert(BRANCH, ret); /* Either x */
-+ regtail(ret, regnode(BRANCH)); /* or */
-+ next = regnode(NOTHING); /* null. */
-+ regtail(ret, next);
-+ regoptail(ret, next);
-+ }
-+ regparse++;
-+ if (ISMULT(*regparse))
-+ FAIL("nested *?+");
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regatom - the lowest level
-+ *
-+ * Optimization: gobbles an entire sequence of ordinary characters so that
-+ * it can turn them into a single node, which is smaller to store and
-+ * faster to run. Backslashed characters are exceptions, each becoming a
-+ * separate node; the code is simpler that way and it's not worth fixing.
-+ */
-+static char *
-+regatom(int *flagp)
-+{
-+ register char *ret;
-+ int flags;
-+
-+ *flagp = WORST; /* Tentatively. */
-+
-+ switch (*regparse++) {
-+ case '^':
-+ ret = regnode(BOL);
-+ break;
-+ case '$':
-+ ret = regnode(EOL);
-+ break;
-+ case '.':
-+ ret = regnode(ANY);
-+ *flagp |= HASWIDTH|SIMPLE;
-+ break;
-+ case '[': {
-+ register int class;
-+ register int classend;
-+
-+ if (*regparse == '^') { /* Complement of range. */
-+ ret = regnode(ANYBUT);
-+ regparse++;
-+ } else
-+ ret = regnode(ANYOF);
-+ if (*regparse == ']' || *regparse == '-')
-+ regc(*regparse++);
-+ while (*regparse != '\0' && *regparse != ']') {
-+ if (*regparse == '-') {
-+ regparse++;
-+ if (*regparse == ']' || *regparse == '\0')
-+ regc('-');
-+ else {
-+ class = UCHARAT(regparse-2)+1;
-+ classend = UCHARAT(regparse);
-+ if (class > classend+1)
-+ FAIL("invalid [] range");
-+ for (; class <= classend; class++)
-+ regc(class);
-+ regparse++;
-+ }
-+ } else
-+ regc(*regparse++);
-+ }
-+ regc('\0');
-+ if (*regparse != ']')
-+ FAIL("unmatched []");
-+ regparse++;
-+ *flagp |= HASWIDTH|SIMPLE;
-+ }
-+ break;
-+ case '(':
-+ ret = reg(1, &flags);
-+ if (ret == NULL)
-+ return(NULL);
-+ *flagp |= flags&(HASWIDTH|SPSTART);
-+ break;
-+ case '\0':
-+ case '|':
-+ case ')':
-+ FAIL("internal urp"); /* Supposed to be caught earlier. */
-+ break;
-+ case '?':
-+ case '+':
-+ case '*':
-+ FAIL("?+* follows nothing");
-+ break;
-+ case '\\':
-+ if (*regparse == '\0')
-+ FAIL("trailing \\");
-+ ret = regnode(EXACTLY);
-+ regc(*regparse++);
-+ regc('\0');
-+ *flagp |= HASWIDTH|SIMPLE;
-+ break;
-+ default: {
-+ register int len;
-+ register char ender;
-+
-+ regparse--;
-+ len = my_strcspn((const char *)regparse, (const char *)META);
-+ if (len <= 0)
-+ FAIL("internal disaster");
-+ ender = *(regparse+len);
-+ if (len > 1 && ISMULT(ender))
-+ len--; /* Back off clear of ?+* operand. */
-+ *flagp |= HASWIDTH;
-+ if (len == 1)
-+ *flagp |= SIMPLE;
-+ ret = regnode(EXACTLY);
-+ while (len > 0) {
-+ regc(*regparse++);
-+ len--;
-+ }
-+ regc('\0');
-+ }
-+ break;
-+ }
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regnode - emit a node
-+ */
-+static char * /* Location. */
-+regnode(char op)
-+{
-+ register char *ret;
-+ register char *ptr;
-+
-+ ret = regcode;
-+ if (ret == ®dummy) {
-+ regsize += 3;
-+ return(ret);
-+ }
-+
-+ ptr = ret;
-+ *ptr++ = op;
-+ *ptr++ = '\0'; /* Null "next" pointer. */
-+ *ptr++ = '\0';
-+ regcode = ptr;
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regc - emit (if appropriate) a byte of code
-+ */
-+static void
-+regc(char b)
-+{
-+ if (regcode != ®dummy)
-+ *regcode++ = b;
-+ else
-+ regsize++;
-+}
-+
-+/*
-+ - reginsert - insert an operator in front of already-emitted operand
-+ *
-+ * Means relocating the operand.
-+ */
-+static void
-+reginsert(char op, char* opnd)
-+{
-+ register char *src;
-+ register char *dst;
-+ register char *place;
-+
-+ if (regcode == ®dummy) {
-+ regsize += 3;
-+ return;
-+ }
-+
-+ src = regcode;
-+ regcode += 3;
-+ dst = regcode;
-+ while (src > opnd)
-+ *--dst = *--src;
-+
-+ place = opnd; /* Op node, where operand used to be. */
-+ *place++ = op;
-+ *place++ = '\0';
-+ *place++ = '\0';
-+}
-+
-+/*
-+ - regtail - set the next-pointer at the end of a node chain
-+ */
-+static void
-+regtail(char *p, char *val)
-+{
-+ register char *scan;
-+ register char *temp;
-+ register int offset;
-+
-+ if (p == ®dummy)
-+ return;
-+
-+ /* Find last node. */
-+ scan = p;
-+ for (;;) {
-+ temp = regnext(scan);
-+ if (temp == NULL)
-+ break;
-+ scan = temp;
-+ }
-+
-+ if (OP(scan) == BACK)
-+ offset = scan - val;
-+ else
-+ offset = val - scan;
-+ *(scan+1) = (offset>>8)&0377;
-+ *(scan+2) = offset&0377;
-+}
-+
-+/*
-+ - regoptail - regtail on operand of first argument; nop if operandless
-+ */
-+static void
-+regoptail(char *p, char *val)
-+{
-+ /* "Operandless" and "op != BRANCH" are synonymous in practice. */
-+ if (p == NULL || p == ®dummy || OP(p) != BRANCH)
-+ return;
-+ regtail(OPERAND(p), val);
-+}
-+
-+/*
-+ * regexec and friends
-+ */
-+
-+/*
-+ * Global work variables for regexec().
-+ */
-+static char *reginput; /* String-input pointer. */
-+static char *regbol; /* Beginning of input, for ^ check. */
-+static char **regstartp; /* Pointer to startp array. */
-+static char **regendp; /* Ditto for endp. */
-+
-+/*
-+ * Forwards.
-+ */
-+STATIC int regtry(regexp *prog, char *string);
-+STATIC int regmatch(char *prog);
-+STATIC int regrepeat(char *p);
-+
-+#ifdef DEBUG
-+int regnarrate = 0;
-+void regdump();
-+STATIC char *regprop(char *op);
-+#endif
-+
-+/*
-+ - regexec - match a regexp against a string
-+ */
-+int
-+regexec(regexp *prog, char *string)
-+{
-+ register char *s;
-+
-+ /* Be paranoid... */
-+ if (prog == NULL || string == NULL) {
-+ printk("<3>Regexp: NULL parameter\n");
-+ return(0);
-+ }
-+
-+ /* Check validity of program. */
-+ if (UCHARAT(prog->program) != MAGIC) {
-+ printk("<3>Regexp: corrupted program\n");
-+ return(0);
-+ }
-+
-+ /* If there is a "must appear" string, look for it. */
-+ if (prog->regmust != NULL) {
-+ s = string;
-+ while ((s = strchr(s, prog->regmust[0])) != NULL) {
-+ if (strncmp(s, prog->regmust, prog->regmlen) == 0)
-+ break; /* Found it. */
-+ s++;
-+ }
-+ if (s == NULL) /* Not present. */
-+ return(0);
-+ }
-+
-+ /* Mark beginning of line for ^ . */
-+ regbol = string;
-+
-+ /* Simplest case: anchored match need be tried only once. */
-+ if (prog->reganch)
-+ return(regtry(prog, string));
-+
-+ /* Messy cases: unanchored match. */
-+ s = string;
-+ if (prog->regstart != '\0')
-+ /* We know what char it must start with. */
-+ while ((s = strchr(s, prog->regstart)) != NULL) {
-+ if (regtry(prog, s))
-+ return(1);
-+ s++;
-+ }
-+ else
-+ /* We don't -- general case. */
-+ do {
-+ if (regtry(prog, s))
-+ return(1);
-+ } while (*s++ != '\0');
-+
-+ /* Failure. */
-+ return(0);
-+}
-+
-+/*
-+ - regtry - try match at specific point
-+ */
-+static int /* 0 failure, 1 success */
-+regtry(regexp *prog, char *string)
-+{
-+ register int i;
-+ register char **sp;
-+ register char **ep;
-+
-+ reginput = string;
-+ regstartp = prog->startp;
-+ regendp = prog->endp;
-+
-+ sp = prog->startp;
-+ ep = prog->endp;
-+ for (i = NSUBEXP; i > 0; i--) {
-+ *sp++ = NULL;
-+ *ep++ = NULL;
-+ }
-+ if (regmatch(prog->program + 1)) {
-+ prog->startp[0] = string;
-+ prog->endp[0] = reginput;
-+ return(1);
-+ } else
-+ return(0);
-+}
-+
-+/*
-+ - regmatch - main matching routine
-+ *
-+ * Conceptually the strategy is simple: check to see whether the current
-+ * node matches, call self recursively to see whether the rest matches,
-+ * and then act accordingly. In practice we make some effort to avoid
-+ * recursion, in particular by going through "ordinary" nodes (that don't
-+ * need to know whether the rest of the match failed) by a loop instead of
-+ * by recursion.
-+ */
-+static int /* 0 failure, 1 success */
-+regmatch(char *prog)
-+{
-+ register char *scan = prog; /* Current node. */
-+ char *next; /* Next node. */
-+
-+#ifdef DEBUG
-+ if (scan != NULL && regnarrate)
-+ fprintf(stderr, "%s(\n", regprop(scan));
-+#endif
-+ while (scan != NULL) {
-+#ifdef DEBUG
-+ if (regnarrate)
-+ fprintf(stderr, "%s...\n", regprop(scan));
-+#endif
-+ next = regnext(scan);
-+
-+ switch (OP(scan)) {
-+ case BOL:
-+ if (reginput != regbol)
-+ return(0);
-+ break;
-+ case EOL:
-+ if (*reginput != '\0')
-+ return(0);
-+ break;
-+ case ANY:
-+ if (*reginput == '\0')
-+ return(0);
-+ reginput++;
-+ break;
-+ case EXACTLY: {
-+ register int len;
-+ register char *opnd;
-+
-+ opnd = OPERAND(scan);
-+ /* Inline the first character, for speed. */
-+ if (*opnd != *reginput)
-+ return(0);
-+ len = strlen(opnd);
-+ if (len > 1 && strncmp(opnd, reginput, len) != 0)
-+ return(0);
-+ reginput += len;
-+ }
-+ break;
-+ case ANYOF:
-+ if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) == NULL)
-+ return(0);
-+ reginput++;
-+ break;
-+ case ANYBUT:
-+ if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) != NULL)
-+ return(0);
-+ reginput++;
-+ break;
-+ case NOTHING:
-+ case BACK:
-+ break;
-+ case OPEN+1:
-+ case OPEN+2:
-+ case OPEN+3:
-+ case OPEN+4:
-+ case OPEN+5:
-+ case OPEN+6:
-+ case OPEN+7:
-+ case OPEN+8:
-+ case OPEN+9: {
-+ register int no;
-+ register char *save;
-+
-+ no = OP(scan) - OPEN;
-+ save = reginput;
-+
-+ if (regmatch(next)) {
-+ /*
-+ * Don't set startp if some later
-+ * invocation of the same parentheses
-+ * already has.
-+ */
-+ if (regstartp[no] == NULL)
-+ regstartp[no] = save;
-+ return(1);
-+ } else
-+ return(0);
-+ }
-+ break;
-+ case CLOSE+1:
-+ case CLOSE+2:
-+ case CLOSE+3:
-+ case CLOSE+4:
-+ case CLOSE+5:
-+ case CLOSE+6:
-+ case CLOSE+7:
-+ case CLOSE+8:
-+ case CLOSE+9:
-+ {
-+ register int no;
-+ register char *save;
-+
-+ no = OP(scan) - CLOSE;
-+ save = reginput;
-+
-+ if (regmatch(next)) {
-+ /*
-+ * Don't set endp if some later
-+ * invocation of the same parentheses
-+ * already has.
-+ */
-+ if (regendp[no] == NULL)
-+ regendp[no] = save;
-+ return(1);
-+ } else
-+ return(0);
-+ }
-+ break;
-+ case BRANCH: {
-+ register char *save;
-+
-+ if (OP(next) != BRANCH) /* No choice. */
-+ next = OPERAND(scan); /* Avoid recursion. */
-+ else {
-+ do {
-+ save = reginput;
-+ if (regmatch(OPERAND(scan)))
-+ return(1);
-+ reginput = save;
-+ scan = regnext(scan);
-+ } while (scan != NULL && OP(scan) == BRANCH);
-+ return(0);
-+ /* NOTREACHED */
-+ }
-+ }
-+ break;
-+ case STAR:
-+ case PLUS: {
-+ register char nextch;
-+ register int no;
-+ register char *save;
-+ register int min;
-+
-+ /*
-+ * Lookahead to avoid useless match attempts
-+ * when we know what character comes next.
-+ */
-+ nextch = '\0';
-+ if (OP(next) == EXACTLY)
-+ nextch = *OPERAND(next);
-+ min = (OP(scan) == STAR) ? 0 : 1;
-+ save = reginput;
-+ no = regrepeat(OPERAND(scan));
-+ while (no >= min) {
-+ /* If it could work, try it. */
-+ if (nextch == '\0' || *reginput == nextch)
-+ if (regmatch(next))
-+ return(1);
-+ /* Couldn't or didn't -- back up. */
-+ no--;
-+ reginput = save + no;
-+ }
-+ return(0);
-+ }
-+ break;
-+ case END:
-+ return(1); /* Success! */
-+ break;
-+ default:
-+ printk("<3>Regexp: memory corruption\n");
-+ return(0);
-+ break;
-+ }
-+
-+ scan = next;
-+ }
-+
-+ /*
-+ * We get here only if there's trouble -- normally "case END" is
-+ * the terminating point.
-+ */
-+ printk("<3>Regexp: corrupted pointers\n");
-+ return(0);
-+}
-+
-+/*
-+ - regrepeat - repeatedly match something simple, report how many
-+ */
-+static int
-+regrepeat(char *p)
-+{
-+ register int count = 0;
-+ register char *scan;
-+ register char *opnd;
-+
-+ scan = reginput;
-+ opnd = OPERAND(p);
-+ switch (OP(p)) {
-+ case ANY:
-+ count = strlen(scan);
-+ scan += count;
-+ break;
-+ case EXACTLY:
-+ while (*opnd == *scan) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ case ANYOF:
-+ while (*scan != '\0' && strchr(opnd, *scan) != NULL) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ case ANYBUT:
-+ while (*scan != '\0' && strchr(opnd, *scan) == NULL) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ default: /* Oh dear. Called inappropriately. */
-+ printk("<3>Regexp: internal foulup\n");
-+ count = 0; /* Best compromise. */
-+ break;
-+ }
-+ reginput = scan;
-+
-+ return(count);
-+}
-+
-+/*
-+ - regnext - dig the "next" pointer out of a node
-+ */
-+static char*
-+regnext(char *p)
-+{
-+ register int offset;
-+
-+ if (p == ®dummy)
-+ return(NULL);
-+
-+ offset = NEXT(p);
-+ if (offset == 0)
-+ return(NULL);
-+
-+ if (OP(p) == BACK)
-+ return(p-offset);
-+ else
-+ return(p+offset);
-+}
-+
-+#ifdef DEBUG
-+
-+STATIC char *regprop();
-+
-+/*
-+ - regdump - dump a regexp onto stdout in vaguely comprehensible form
-+ */
-+void
-+regdump(regexp *r)
-+{
-+ register char *s;
-+ register char op = EXACTLY; /* Arbitrary non-END op. */
-+ register char *next;
-+ /* extern char *strchr(); */
-+
-+
-+ s = r->program + 1;
-+ while (op != END) { /* While that wasn't END last time... */
-+ op = OP(s);
-+ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */
-+ next = regnext(s);
-+ if (next == NULL) /* Next ptr. */
-+ printf("(0)");
-+ else
-+ printf("(%d)", (s-r->program)+(next-s));
-+ s += 3;
-+ if (op == ANYOF || op == ANYBUT || op == EXACTLY) {
-+ /* Literal string, where present. */
-+ while (*s != '\0') {
-+ putchar(*s);
-+ s++;
-+ }
-+ s++;
-+ }
-+ putchar('\n');
-+ }
-+
-+ /* Header fields of interest. */
-+ if (r->regstart != '\0')
-+ printf("start `%c' ", r->regstart);
-+ if (r->reganch)
-+ printf("anchored ");
-+ if (r->regmust != NULL)
-+ printf("must have \"%s\"", r->regmust);
-+ printf("\n");
-+}
-+
-+/*
-+ - regprop - printable representation of opcode
-+ */
-+static char *
-+regprop(char *op)
-+{
-+#define BUFLEN 50
-+ register char *p;
-+ static char buf[BUFLEN];
-+
-+ strcpy(buf, ":");
-+
-+ switch (OP(op)) {
-+ case BOL:
-+ p = "BOL";
-+ break;
-+ case EOL:
-+ p = "EOL";
-+ break;
-+ case ANY:
-+ p = "ANY";
-+ break;
-+ case ANYOF:
-+ p = "ANYOF";
-+ break;
-+ case ANYBUT:
-+ p = "ANYBUT";
-+ break;
-+ case BRANCH:
-+ p = "BRANCH";
-+ break;
-+ case EXACTLY:
-+ p = "EXACTLY";
-+ break;
-+ case NOTHING:
-+ p = "NOTHING";
-+ break;
-+ case BACK:
-+ p = "BACK";
-+ break;
-+ case END:
-+ p = "END";
-+ break;
-+ case OPEN+1:
-+ case OPEN+2:
-+ case OPEN+3:
-+ case OPEN+4:
-+ case OPEN+5:
-+ case OPEN+6:
-+ case OPEN+7:
-+ case OPEN+8:
-+ case OPEN+9:
-+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN);
-+ p = NULL;
-+ break;
-+ case CLOSE+1:
-+ case CLOSE+2:
-+ case CLOSE+3:
-+ case CLOSE+4:
-+ case CLOSE+5:
-+ case CLOSE+6:
-+ case CLOSE+7:
-+ case CLOSE+8:
-+ case CLOSE+9:
-+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE);
-+ p = NULL;
-+ break;
-+ case STAR:
-+ p = "STAR";
-+ break;
-+ case PLUS:
-+ p = "PLUS";
-+ break;
-+ default:
-+ printk("<3>Regexp: corrupted opcode\n");
-+ break;
-+ }
-+ if (p != NULL)
-+ strncat(buf, p, BUFLEN-strlen(buf));
-+ return(buf);
-+}
-+#endif
-+
-+
-Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h 2007-12-15 05:20:06.040184453 +0100
-@@ -0,0 +1,40 @@
-+/*
-+ * Definitions etc. for regexp(3) routines.
-+ *
-+ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof],
-+ * not the System V one.
-+ */
-+
-+#ifndef REGEXP_H
-+#define REGEXP_H
-+
-+/*
-+http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h ,
-+which contains a version of this library, says:
-+
-+ *
-+ * NSUBEXP must be at least 10, and no greater than 117 or the parser
-+ * will not work properly.
-+ *
-+
-+However, it looks rather like this library is limited to 10. If you think
-+otherwise, let us know.
-+*/
-+
-+#define NSUBEXP 10
-+typedef struct regexp {
-+ char *startp[NSUBEXP];
-+ char *endp[NSUBEXP];
-+ char regstart; /* Internal use only. */
-+ char reganch; /* Internal use only. */
-+ char *regmust; /* Internal use only. */
-+ int regmlen; /* Internal use only. */
-+ char program[1]; /* Unwarranted chumminess with compiler. */
-+} regexp;
-+
-+regexp * regcomp(char *exp, int *patternsize);
-+int regexec(regexp *prog, char *string);
-+void regsub(regexp *prog, char *source, char *dest);
-+void regerror(char *s);
-+
-+#endif
-Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h 2007-12-15 05:20:06.040184453 +0100
-@@ -0,0 +1,5 @@
-+/*
-+ * The first byte of the regexp internal "program" is actually this magic
-+ * number; the start node begins in the second byte.
-+ */
-+#define MAGIC 0234
-Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c 2007-12-15 05:20:06.044184683 +0100
-@@ -0,0 +1,95 @@
-+/*
-+ * regsub
-+ * @(#)regsub.c 1.3 of 2 April 86
-+ *
-+ * Copyright (c) 1986 by University of Toronto.
-+ * Written by Henry Spencer. Not derived from licensed software.
-+ *
-+ * Permission is granted to anyone to use this software for any
-+ * purpose on any computer system, and to redistribute it freely,
-+ * subject to the following restrictions:
-+ *
-+ * 1. The author is not responsible for the consequences of use of
-+ * this software, no matter how awful, even if they arise
-+ * from defects in it.
-+ *
-+ * 2. The origin of this software must not be misrepresented, either
-+ * by explicit claim or by omission.
-+ *
-+ * 3. Altered versions must be plainly marked as such, and must not
-+ * be misrepresented as being the original software.
-+ *
-+ *
-+ * This code was modified by Ethan Sommer to work within the kernel
-+ * (it now uses kmalloc etc..)
-+ *
-+ */
-+#include "regexp.h"
-+#include "regmagic.h"
-+#include <linux/string.h>
-+
-+
-+#ifndef CHARBITS
-+#define UCHARAT(p) ((int)*(unsigned char *)(p))
-+#else
-+#define UCHARAT(p) ((int)*(p)&CHARBITS)
-+#endif
-+
-+#if 0
-+//void regerror(char * s)
-+//{
-+// printk("regexp(3): %s", s);
-+// /* NOTREACHED */
-+//}
-+#endif
-+
-+/*
-+ - regsub - perform substitutions after a regexp match
-+ */
-+void
-+regsub(regexp * prog, char * source, char * dest)
-+{
-+ register char *src;
-+ register char *dst;
-+ register char c;
-+ register int no;
-+ register int len;
-+
-+ /* Not necessary and gcc doesn't like it -MLS */
-+ /*extern char *strncpy();*/
-+
-+ if (prog == NULL || source == NULL || dest == NULL) {
-+ regerror("NULL parm to regsub");
-+ return;
-+ }
-+ if (UCHARAT(prog->program) != MAGIC) {
-+ regerror("damaged regexp fed to regsub");
-+ return;
-+ }
-+
-+ src = source;
-+ dst = dest;
-+ while ((c = *src++) != '\0') {
-+ if (c == '&')
-+ no = 0;
-+ else if (c == '\\' && '0' <= *src && *src <= '9')
-+ no = *src++ - '0';
-+ else
-+ no = -1;
-+
-+ if (no < 0) { /* Ordinary character. */
-+ if (c == '\\' && (*src == '\\' || *src == '&'))
-+ c = *src++;
-+ *dst++ = c;
-+ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) {
-+ len = prog->endp[no] - prog->startp[no];
-+ (void) strncpy(dst, prog->startp[no], len);
-+ dst += len;
-+ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */
-+ regerror("damaged match string");
-+ return;
-+ }
-+ }
-+ }
-+ *dst++ = '\0';
-+}
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_IPP2P=m
CONFIG_IP_NF_MATCH_IPRANGE=m
-CONFIG_IP_NF_MATCH_LAYER7=m
-# CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_SET=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_LAYER7=m
+# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_IPP2P=m
CONFIG_IP_NF_MATCH_IPRANGE=m
-CONFIG_IP_NF_MATCH_LAYER7=m
-# CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_SET=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_LAYER7=m
+# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
--- /dev/null
+Index: linux-2.6.22.18/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/Kconfig
++++ linux-2.6.22.18/net/netfilter/Kconfig
+@@ -603,6 +603,27 @@ config NETFILTER_XT_MATCH_STATE
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_LAYER7
++ tristate '"layer7" match support'
++ depends on NETFILTER_XTABLES
++ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
++ depends on NF_CT_ACCT
++ help
++ Say Y if you want to be able to classify connections (and their
++ packets) based on regular expression matching of their application
++ layer data. This is one way to classify applications such as
++ peer-to-peer filesharing systems that do not always use the same
++ port.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
++config NETFILTER_XT_MATCH_LAYER7_DEBUG
++ bool 'Layer 7 debugging output'
++ depends on NETFILTER_XT_MATCH_LAYER7
++ help
++ Say Y to get lots of debugging output.
++
++
+ config NETFILTER_XT_MATCH_STATISTIC
+ tristate '"statistic" match support'
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.22.18/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/Makefile
++++ linux-2.6.22.18/net/netfilter/Makefile
+@@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) +
+ obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+Index: linux-2.6.22.18/net/netfilter/xt_layer7.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/xt_layer7.c
+@@ -0,0 +1,634 @@
++/*
++ Kernel module to match application layer (OSI layer 7) data in connections.
++
++ http://l7-filter.sf.net
++
++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++
++ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>,
++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait,
++ Ethan Sommer, Justin Levandoski.
++*/
++
++#include <linux/spinlock.h>
++#include <linux/version.h>
++#include <net/ip.h>
++#include <net/tcp.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter.h>
++#include <net/netfilter/nf_conntrack.h>
++#include <net/netfilter/nf_conntrack_core.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_layer7.h>
++#include <linux/ctype.h>
++#include <linux/proc_fs.h>
++
++#include "regexp/regexp.c"
++
++MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
++MODULE_DESCRIPTION("iptables application layer match module");
++MODULE_ALIAS("ipt_layer7");
++MODULE_VERSION("2.17");
++
++static int maxdatalen = 2048; // this is the default
++module_param(maxdatalen, int, 0444);
++MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
++ #define DPRINTK(format,args...) printk(format,##args)
++#else
++ #define DPRINTK(format,args...)
++#endif
++
++#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
++ master_conntrack->counters[IP_CT_DIR_REPLY].packets
++
++/* Number of packets whose data we look at.
++This can be modified through /proc/net/layer7_numpackets */
++static int num_packets = 10;
++
++static struct pattern_cache {
++ char * regex_string;
++ regexp * pattern;
++ struct pattern_cache * next;
++} * first_pattern_cache = NULL;
++
++DEFINE_SPINLOCK(l7_lock);
++
++#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++/* Converts an unfriendly string into a friendly one by
++replacing unprintables with periods and all whitespace with " ". */
++static char * friendly_print(unsigned char * s)
++{
++ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
++ int i;
++
++ if(!f) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "friendly_print, bailing.\n");
++ return NULL;
++ }
++
++ for(i = 0; i < strlen(s); i++){
++ if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
++ else if(isspace(s[i])) f[i] = ' ';
++ else f[i] = '.';
++ }
++ f[i] = '\0';
++ return f;
++}
++
++static char dec2hex(int i)
++{
++ switch (i) {
++ case 0 ... 9:
++ return (i + '0');
++ break;
++ case 10 ... 15:
++ return (i - 10 + 'a');
++ break;
++ default:
++ if (net_ratelimit())
++ printk("layer7: Problem in dec2hex\n");
++ return '\0';
++ }
++}
++
++static char * hex_print(unsigned char * s)
++{
++ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
++ int i;
++
++ if(!g) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in hex_print, "
++ "bailing.\n");
++ return NULL;
++ }
++
++ for(i = 0; i < strlen(s); i++) {
++ g[i*3 ] = dec2hex(s[i]/16);
++ g[i*3 + 1] = dec2hex(s[i]%16);
++ g[i*3 + 2] = ' ';
++ }
++ g[i*3] = '\0';
++
++ return g;
++}
++#endif // DEBUG
++
++/* Use instead of regcomp. As we expect to be seeing the same regexps over and
++over again, it make sense to cache the results. */
++static regexp * compile_and_cache(const char * regex_string,
++ const char * protocol)
++{
++ struct pattern_cache * node = first_pattern_cache;
++ struct pattern_cache * last_pattern_cache = first_pattern_cache;
++ struct pattern_cache * tmp;
++ unsigned int len;
++
++ while (node != NULL) {
++ if (!strcmp(node->regex_string, regex_string))
++ return node->pattern;
++
++ last_pattern_cache = node;/* points at the last non-NULL node */
++ node = node->next;
++ }
++
++ /* If we reach the end of the list, then we have not yet cached
++ the pattern for this regex. Let's do that now.
++ Be paranoid about running out of memory to avoid list corruption. */
++ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
++
++ if(!tmp) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
++ return NULL;
++ }
++
++ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
++ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
++ tmp->next = NULL;
++
++ if(!tmp->regex_string || !tmp->pattern) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
++ kfree(tmp->regex_string);
++ kfree(tmp->pattern);
++ kfree(tmp);
++ return NULL;
++ }
++
++ /* Ok. The new node is all ready now. */
++ node = tmp;
++
++ if(first_pattern_cache == NULL) /* list is empty */
++ first_pattern_cache = node; /* make node the beginning */
++ else
++ last_pattern_cache->next = node; /* attach node to the end */
++
++ /* copy the string and compile the regex */
++ len = strlen(regex_string);
++ DPRINTK("About to compile this: \"%s\"\n", regex_string);
++ node->pattern = regcomp((char *)regex_string, &len);
++ if ( !node->pattern ) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: Error compiling regexp "
++ "\"%s\" (%s)\n",
++ regex_string, protocol);
++ /* pattern is now cached as NULL, so we won't try again. */
++ }
++
++ strcpy(node->regex_string, regex_string);
++ return node->pattern;
++}
++
++static int can_handle(const struct sk_buff *skb)
++{
++ if(!ip_hdr(skb)) /* not IP */
++ return 0;
++ if(ip_hdr(skb)->protocol != IPPROTO_TCP &&
++ ip_hdr(skb)->protocol != IPPROTO_UDP &&
++ ip_hdr(skb)->protocol != IPPROTO_ICMP)
++ return 0;
++ return 1;
++}
++
++/* Returns offset the into the skb->data that the application data starts */
++static int app_data_offset(const struct sk_buff *skb)
++{
++ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
++ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
++ int ip_hl = 4*ip_hdr(skb)->ihl;
++
++ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
++ /* 12 == offset into TCP header for the header length field.
++ Can't get this with skb->h.th->doff because the tcphdr
++ struct doesn't get set when routing (this is confirmed to be
++ true in Netfilter as well as QoS.) */
++ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
++
++ return ip_hl + tcp_hl;
++ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) {
++ return ip_hl + 8; /* UDP header is always 8 bytes */
++ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) {
++ return ip_hl + 8; /* ICMP header is 8 bytes */
++ } else {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: tried to handle unknown "
++ "protocol!\n");
++ return ip_hl + 8; /* something reasonable */
++ }
++}
++
++/* handles whether there's a match when we aren't appending data anymore */
++static int match_no_append(struct nf_conn * conntrack,
++ struct nf_conn * master_conntrack,
++ enum ip_conntrack_info ctinfo,
++ enum ip_conntrack_info master_ctinfo,
++ const struct xt_layer7_info * info)
++{
++ /* If we're in here, throw the app data away */
++ if(master_conntrack->layer7.app_data != NULL) {
++
++ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++ if(!master_conntrack->layer7.app_proto) {
++ char * f =
++ friendly_print(master_conntrack->layer7.app_data);
++ char * g =
++ hex_print(master_conntrack->layer7.app_data);
++ DPRINTK("\nl7-filter gave up after %d bytes "
++ "(%d packets):\n%s\n",
++ strlen(f), TOTAL_PACKETS, f);
++ kfree(f);
++ DPRINTK("In hex: %s\n", g);
++ kfree(g);
++ }
++ #endif
++
++ kfree(master_conntrack->layer7.app_data);
++ master_conntrack->layer7.app_data = NULL; /* don't free again */
++ }
++
++ if(master_conntrack->layer7.app_proto){
++ /* Here child connections set their .app_proto (for /proc) */
++ if(!conntrack->layer7.app_proto) {
++ conntrack->layer7.app_proto =
++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1,
++ GFP_ATOMIC);
++ if(!conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory "
++ "in match_no_append, "
++ "bailing.\n");
++ return 1;
++ }
++ strcpy(conntrack->layer7.app_proto,
++ master_conntrack->layer7.app_proto);
++ }
++
++ return (!strcmp(master_conntrack->layer7.app_proto,
++ info->protocol));
++ }
++ else {
++ /* If not classified, set to "unknown" to distinguish from
++ connections that are still being tested. */
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen("unknown")+1, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match_no_append, bailing.\n");
++ return 1;
++ }
++ strcpy(master_conntrack->layer7.app_proto, "unknown");
++ return 0;
++ }
++}
++
++/* add the new app data to the conntrack. Return number of bytes added. */
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
++{
++ int length = 0, i;
++ int oldlength = master_conntrack->layer7.app_data_len;
++
++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not
++ clear on whether the race condition exists or whether this really
++ fixes it. I might just be being dense... Anyway, if it's not really
++ a fix, all it does is waste a very small amount of time. */
++ if(!master_conntrack->layer7.app_data) return 0;
++
++ /* Strip nulls. Make everything lower case (our regex lib doesn't
++ do case insensitivity). Add it to the end of the current data. */
++ for(i = 0; i < maxdatalen-oldlength-1 &&
++ i < appdatalen; i++) {
++ if(app_data[i] != '\0') {
++ /* the kernel version of tolower mungs 'upper ascii' */
++ master_conntrack->layer7.app_data[length+oldlength] =
++ isascii(app_data[i])?
++ tolower(app_data[i]) : app_data[i];
++ length++;
++ }
++ }
++
++ master_conntrack->layer7.app_data[length+oldlength] = '\0';
++ master_conntrack->layer7.app_data_len = length + oldlength;
++
++ return length;
++}
++
++/* taken from drivers/video/modedb.c */
++static int my_atoi(const char *s)
++{
++ int val = 0;
++
++ for (;; s++) {
++ switch (*s) {
++ case '0'...'9':
++ val = 10*val+(*s-'0');
++ break;
++ default:
++ return val;
++ }
++ }
++}
++
++/* write out num_packets to userland. */
++static int layer7_read_proc(char* page, char ** start, off_t off, int count,
++ int* eof, void * data)
++{
++ if(num_packets > 99 && net_ratelimit())
++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
++
++ page[0] = num_packets/10 + '0';
++ page[1] = num_packets%10 + '0';
++ page[2] = '\n';
++ page[3] = '\0';
++
++ *eof=1;
++
++ return 3;
++}
++
++/* Read in num_packets from userland */
++static int layer7_write_proc(struct file* file, const char* buffer,
++ unsigned long count, void *data)
++{
++ char * foo = kmalloc(count, GFP_ATOMIC);
++
++ if(!foo){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory, bailing. "
++ "num_packets unchanged.\n");
++ return count;
++ }
++
++ if(copy_from_user(foo, buffer, count)) {
++ return -EFAULT;
++ }
++
++
++ num_packets = my_atoi(foo);
++ kfree (foo);
++
++ /* This has an arbitrary limit to make the math easier. I'm lazy.
++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
++ if(num_packets > 99) {
++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
++ num_packets = 99;
++ } else if(num_packets < 1) {
++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
++ num_packets = 1;
++ }
++
++ return count;
++}
++
++static int
++match(const struct sk_buff *skbin,
++ const struct net_device *in,
++ const struct net_device *out,
++ const struct xt_match *match,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
++{
++ /* sidestep const without getting a compiler warning... */
++ struct sk_buff * skb = (struct sk_buff *)skbin;
++
++ const struct xt_layer7_info * info = matchinfo;
++ enum ip_conntrack_info master_ctinfo, ctinfo;
++ struct nf_conn *master_conntrack, *conntrack;
++ unsigned char * app_data;
++ unsigned int pattern_result, appdatalen;
++ regexp * comppattern;
++
++ /* Be paranoid/incompetent - lock the entire match function. */
++ spin_lock_bh(&l7_lock);
++
++ if(!can_handle(skb)){
++ DPRINTK("layer7: This is some protocol I can't handle.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ /* Treat parent & all its children together as one connection, except
++ for the purpose of setting conntrack->layer7.app_proto in the actual
++ connection. This makes /proc/net/ip_conntrack more satisfying. */
++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) ||
++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){
++ DPRINTK("layer7: couldn't get conntrack.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ /* Try to get a master conntrack (and its master etc) for FTP, etc. */
++ while (master_ct(master_conntrack) != NULL)
++ master_conntrack = master_ct(master_conntrack);
++
++ /* if we've classified it or seen too many packets */
++ if(TOTAL_PACKETS > num_packets ||
++ master_conntrack->layer7.app_proto) {
++
++ pattern_result = match_no_append(conntrack, master_conntrack,
++ ctinfo, master_ctinfo, info);
++
++ /* skb->cb[0] == seen. Don't do things twice if there are
++ multiple l7 rules. I'm not sure that using cb for this purpose
++ is correct, even though it says "put your private variables
++ there". But it doesn't look like it is being used for anything
++ else in the skbs that make it here. */
++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */
++
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++ }
++
++ if(skb_is_nonlinear(skb)){
++ if(skb_linearize(skb) != 0){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: failed to linearize "
++ "packet, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++ }
++
++ /* now that the skb is linearized, it's safe to set these. */
++ app_data = skb->data + app_data_offset(skb);
++ appdatalen = skb_tail_pointer(skb) - app_data;
++
++ /* the return value gets checked later, when we're ready to use it */
++ comppattern = compile_and_cache(info->pattern, info->protocol);
++
++ /* On the first packet of a connection, allocate space for app data */
++ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
++ !master_conntrack->layer7.app_data){
++ master_conntrack->layer7.app_data =
++ kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ master_conntrack->layer7.app_data[0] = '\0';
++ }
++
++ /* Can be here, but unallocated, if numpackets is increased near
++ the beginning of a connection */
++ if(master_conntrack->layer7.app_data == NULL){
++ spin_unlock_bh(&l7_lock);
++ return (info->invert); /* unmatched */
++ }
++
++ if(!skb->cb[0]){
++ int newbytes;
++ newbytes = add_data(master_conntrack, app_data, appdatalen);
++
++ if(newbytes == 0) { /* didn't add any data */
++ skb->cb[0] = 1;
++ /* Didn't match before, not going to match now */
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++ }
++
++ /* If looking for "unknown", then never match. "Unknown" means that
++ we've given up; we're still trying with these packets. */
++ if(!strcmp(info->protocol, "unknown")) {
++ pattern_result = 0;
++ /* If looking for "unset", then always match. "Unset" means that we
++ haven't yet classified the connection. */
++ } else if(!strcmp(info->protocol, "unset")) {
++ pattern_result = 2;
++ DPRINTK("layer7: matched unset: not yet classified "
++ "(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
++ /* If the regexp failed to compile, don't bother running it */
++ } else if(comppattern &&
++ regexec(comppattern, master_conntrack->layer7.app_data)){
++ DPRINTK("layer7: matched %s\n", info->protocol);
++ pattern_result = 1;
++ } else pattern_result = 0;
++
++ if(pattern_result == 1) {
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++ }
++ strcpy(master_conntrack->layer7.app_proto, info->protocol);
++ } else if(pattern_result > 1) { /* cleanup from "unset" */
++ pattern_result = 1;
++ }
++
++ /* mark the packet seen */
++ skb->cb[0] = 1;
++
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++}
++
++static int check(const char *tablename,
++ const void *inf,
++ const struct xt_match *match,
++ void *matchinfo,
++ unsigned int hook_mask)
++
++{
++ // load nf_conntrack_ipv4
++ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
++ printk(KERN_WARNING "can't load conntrack support for "
++ "proto=%d\n", match->family);
++ return false;
++ }
++ return true;
++}
++
++static void
++destroy(const struct xt_match *match, void *matchinfo)
++{
++ nf_ct_l3proto_module_put(match->family);
++}
++
++static struct xt_match xt_layer7_match[] = {
++{
++ .name = "layer7",
++ .family = AF_INET,
++ .checkentry = check,
++ .match = match,
++ .destroy = destroy,
++ .matchsize = sizeof(struct xt_layer7_info),
++ .me = THIS_MODULE
++}
++};
++
++static void layer7_cleanup_proc(void)
++{
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
++ remove_proc_entry("layer7_numpackets", proc_net);
++#else
++ remove_proc_entry("layer7_numpackets", init_net.proc_net);
++#endif
++}
++
++/* register the proc file */
++static void layer7_init_proc(void)
++{
++ struct proc_dir_entry* entry;
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
++ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
++#else
++ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
++#endif
++ entry->read_proc = layer7_read_proc;
++ entry->write_proc = layer7_write_proc;
++}
++
++static int __init xt_layer7_init(void)
++{
++ need_conntrack();
++
++ layer7_init_proc();
++ if(maxdatalen < 1) {
++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, "
++ "using 1\n");
++ maxdatalen = 1;
++ }
++ /* This is not a hard limit. It's just here to prevent people from
++ bringing their slow machines to a grinding halt. */
++ else if(maxdatalen > 65536) {
++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, "
++ "using 65536\n");
++ maxdatalen = 65536;
++ }
++ return xt_register_matches(xt_layer7_match,
++ ARRAY_SIZE(xt_layer7_match));
++}
++
++static void __exit xt_layer7_fini(void)
++{
++ layer7_cleanup_proc();
++ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match));
++}
++
++module_init(xt_layer7_init);
++module_exit(xt_layer7_fini);
+Index: linux-2.6.22.18/net/netfilter/regexp/regexp.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/regexp/regexp.c
+@@ -0,0 +1,1197 @@
++/*
++ * regcomp and regexec -- regsub and regerror are elsewhere
++ * @(#)regexp.c 1.3 of 18 April 87
++ *
++ * Copyright (c) 1986 by University of Toronto.
++ * Written by Henry Spencer. Not derived from licensed software.
++ *
++ * Permission is granted to anyone to use this software for any
++ * purpose on any computer system, and to redistribute it freely,
++ * subject to the following restrictions:
++ *
++ * 1. The author is not responsible for the consequences of use of
++ * this software, no matter how awful, even if they arise
++ * from defects in it.
++ *
++ * 2. The origin of this software must not be misrepresented, either
++ * by explicit claim or by omission.
++ *
++ * 3. Altered versions must be plainly marked as such, and must not
++ * be misrepresented as being the original software.
++ *
++ * Beware that some of this code is subtly aware of the way operator
++ * precedence is structured in regular expressions. Serious changes in
++ * regular-expression syntax might require a total rethink.
++ *
++ * This code was modified by Ethan Sommer to work within the kernel
++ * (it now uses kmalloc etc..)
++ *
++ * Modified slightly by Matthew Strait to use more modern C.
++ */
++
++#include "regexp.h"
++#include "regmagic.h"
++
++/* added by ethan and matt. Lets it work in both kernel and user space.
++(So iptables can use it, for instance.) Yea, it goes both ways... */
++#if __KERNEL__
++ #define malloc(foo) kmalloc(foo,GFP_ATOMIC)
++#else
++ #define printk(format,args...) printf(format,##args)
++#endif
++
++void regerror(char * s)
++{
++ printk("<3>Regexp: %s\n", s);
++ /* NOTREACHED */
++}
++
++/*
++ * The "internal use only" fields in regexp.h are present to pass info from
++ * compile to execute that permits the execute phase to run lots faster on
++ * simple cases. They are:
++ *
++ * regstart char that must begin a match; '\0' if none obvious
++ * reganch is the match anchored (at beginning-of-line only)?
++ * regmust string (pointer into program) that match must include, or NULL
++ * regmlen length of regmust string
++ *
++ * Regstart and reganch permit very fast decisions on suitable starting points
++ * for a match, cutting down the work a lot. Regmust permits fast rejection
++ * of lines that cannot possibly match. The regmust tests are costly enough
++ * that regcomp() supplies a regmust only if the r.e. contains something
++ * potentially expensive (at present, the only such thing detected is * or +
++ * at the start of the r.e., which can involve a lot of backup). Regmlen is
++ * supplied because the test in regexec() needs it and regcomp() is computing
++ * it anyway.
++ */
++
++/*
++ * Structure for regexp "program". This is essentially a linear encoding
++ * of a nondeterministic finite-state machine (aka syntax charts or
++ * "railroad normal form" in parsing technology). Each node is an opcode
++ * plus a "next" pointer, possibly plus an operand. "Next" pointers of
++ * all nodes except BRANCH implement concatenation; a "next" pointer with
++ * a BRANCH on both ends of it is connecting two alternatives. (Here we
++ * have one of the subtle syntax dependencies: an individual BRANCH (as
++ * opposed to a collection of them) is never concatenated with anything
++ * because of operator precedence.) The operand of some types of node is
++ * a literal string; for others, it is a node leading into a sub-FSM. In
++ * particular, the operand of a BRANCH node is the first node of the branch.
++ * (NB this is *not* a tree structure: the tail of the branch connects
++ * to the thing following the set of BRANCHes.) The opcodes are:
++ */
++
++/* definition number opnd? meaning */
++#define END 0 /* no End of program. */
++#define BOL 1 /* no Match "" at beginning of line. */
++#define EOL 2 /* no Match "" at end of line. */
++#define ANY 3 /* no Match any one character. */
++#define ANYOF 4 /* str Match any character in this string. */
++#define ANYBUT 5 /* str Match any character not in this string. */
++#define BRANCH 6 /* node Match this alternative, or the next... */
++#define BACK 7 /* no Match "", "next" ptr points backward. */
++#define EXACTLY 8 /* str Match this string. */
++#define NOTHING 9 /* no Match empty string. */
++#define STAR 10 /* node Match this (simple) thing 0 or more times. */
++#define PLUS 11 /* node Match this (simple) thing 1 or more times. */
++#define OPEN 20 /* no Mark this point in input as start of #n. */
++ /* OPEN+1 is number 1, etc. */
++#define CLOSE 30 /* no Analogous to OPEN. */
++
++/*
++ * Opcode notes:
++ *
++ * BRANCH The set of branches constituting a single choice are hooked
++ * together with their "next" pointers, since precedence prevents
++ * anything being concatenated to any individual branch. The
++ * "next" pointer of the last BRANCH in a choice points to the
++ * thing following the whole choice. This is also where the
++ * final "next" pointer of each individual branch points; each
++ * branch starts with the operand node of a BRANCH node.
++ *
++ * BACK Normal "next" pointers all implicitly point forward; BACK
++ * exists to make loop structures possible.
++ *
++ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular
++ * BRANCH structures using BACK. Simple cases (one character
++ * per match) are implemented with STAR and PLUS for speed
++ * and to minimize recursive plunges.
++ *
++ * OPEN,CLOSE ...are numbered at compile time.
++ */
++
++/*
++ * A node is one char of opcode followed by two chars of "next" pointer.
++ * "Next" pointers are stored as two 8-bit pieces, high order first. The
++ * value is a positive offset from the opcode of the node containing it.
++ * An operand, if any, simply follows the node. (Note that much of the
++ * code generation knows about this implicit relationship.)
++ *
++ * Using two bytes for the "next" pointer is vast overkill for most things,
++ * but allows patterns to get big without disasters.
++ */
++#define OP(p) (*(p))
++#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377))
++#define OPERAND(p) ((p) + 3)
++
++/*
++ * See regmagic.h for one further detail of program structure.
++ */
++
++
++/*
++ * Utility definitions.
++ */
++#ifndef CHARBITS
++#define UCHARAT(p) ((int)*(unsigned char *)(p))
++#else
++#define UCHARAT(p) ((int)*(p)&CHARBITS)
++#endif
++
++#define FAIL(m) { regerror(m); return(NULL); }
++#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?')
++#define META "^$.[()|?+*\\"
++
++/*
++ * Flags to be passed up and down.
++ */
++#define HASWIDTH 01 /* Known never to match null string. */
++#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */
++#define SPSTART 04 /* Starts with * or +. */
++#define WORST 0 /* Worst case. */
++
++/*
++ * Global work variables for regcomp().
++ */
++struct match_globals {
++char *reginput; /* String-input pointer. */
++char *regbol; /* Beginning of input, for ^ check. */
++char **regstartp; /* Pointer to startp array. */
++char **regendp; /* Ditto for endp. */
++char *regparse; /* Input-scan pointer. */
++int regnpar; /* () count. */
++char regdummy;
++char *regcode; /* Code-emit pointer; ®dummy = don't. */
++long regsize; /* Code size. */
++};
++
++/*
++ * Forward declarations for regcomp()'s friends.
++ */
++#ifndef STATIC
++#define STATIC static
++#endif
++STATIC char *reg(struct match_globals *g, int paren,int *flagp);
++STATIC char *regbranch(struct match_globals *g, int *flagp);
++STATIC char *regpiece(struct match_globals *g, int *flagp);
++STATIC char *regatom(struct match_globals *g, int *flagp);
++STATIC char *regnode(struct match_globals *g, char op);
++STATIC char *regnext(struct match_globals *g, char *p);
++STATIC void regc(struct match_globals *g, char b);
++STATIC void reginsert(struct match_globals *g, char op, char *opnd);
++STATIC void regtail(struct match_globals *g, char *p, char *val);
++STATIC void regoptail(struct match_globals *g, char *p, char *val);
++
++
++__kernel_size_t my_strcspn(const char *s1,const char *s2)
++{
++ char *scan1;
++ char *scan2;
++ int count;
++
++ count = 0;
++ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) {
++ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */
++ if (*scan1 == *scan2++)
++ return(count);
++ count++;
++ }
++ return(count);
++}
++
++/*
++ - regcomp - compile a regular expression into internal code
++ *
++ * We can't allocate space until we know how big the compiled form will be,
++ * but we can't compile it (and thus know how big it is) until we've got a
++ * place to put the code. So we cheat: we compile it twice, once with code
++ * generation turned off and size counting turned on, and once "for real".
++ * This also means that we don't allocate space until we are sure that the
++ * thing really will compile successfully, and we never have to move the
++ * code and thus invalidate pointers into it. (Note that it has to be in
++ * one piece because free() must be able to free it all.)
++ *
++ * Beware that the optimization-preparation code in here knows about some
++ * of the structure of the compiled regexp.
++ */
++regexp *
++regcomp(char *exp,int *patternsize)
++{
++ register regexp *r;
++ register char *scan;
++ register char *longest;
++ register int len;
++ int flags;
++ struct match_globals g;
++
++ /* commented out by ethan
++ extern char *malloc();
++ */
++
++ if (exp == NULL)
++ FAIL("NULL argument");
++
++ /* First pass: determine size, legality. */
++ g.regparse = exp;
++ g.regnpar = 1;
++ g.regsize = 0L;
++ g.regcode = &g.regdummy;
++ regc(&g, MAGIC);
++ if (reg(&g, 0, &flags) == NULL)
++ return(NULL);
++
++ /* Small enough for pointer-storage convention? */
++ if (g.regsize >= 32767L) /* Probably could be 65535L. */
++ FAIL("regexp too big");
++
++ /* Allocate space. */
++ *patternsize=sizeof(regexp) + (unsigned)g.regsize;
++ r = (regexp *)malloc(sizeof(regexp) + (unsigned)g.regsize);
++ if (r == NULL)
++ FAIL("out of space");
++
++ /* Second pass: emit code. */
++ g.regparse = exp;
++ g.regnpar = 1;
++ g.regcode = r->program;
++ regc(&g, MAGIC);
++ if (reg(&g, 0, &flags) == NULL)
++ return(NULL);
++
++ /* Dig out information for optimizations. */
++ r->regstart = '\0'; /* Worst-case defaults. */
++ r->reganch = 0;
++ r->regmust = NULL;
++ r->regmlen = 0;
++ scan = r->program+1; /* First BRANCH. */
++ if (OP(regnext(&g, scan)) == END) { /* Only one top-level choice. */
++ scan = OPERAND(scan);
++
++ /* Starting-point info. */
++ if (OP(scan) == EXACTLY)
++ r->regstart = *OPERAND(scan);
++ else if (OP(scan) == BOL)
++ r->reganch++;
++
++ /*
++ * If there's something expensive in the r.e., find the
++ * longest literal string that must appear and make it the
++ * regmust. Resolve ties in favor of later strings, since
++ * the regstart check works with the beginning of the r.e.
++ * and avoiding duplication strengthens checking. Not a
++ * strong reason, but sufficient in the absence of others.
++ */
++ if (flags&SPSTART) {
++ longest = NULL;
++ len = 0;
++ for (; scan != NULL; scan = regnext(&g, scan))
++ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) {
++ longest = OPERAND(scan);
++ len = strlen(OPERAND(scan));
++ }
++ r->regmust = longest;
++ r->regmlen = len;
++ }
++ }
++
++ return(r);
++}
++
++/*
++ - reg - regular expression, i.e. main body or parenthesized thing
++ *
++ * Caller must absorb opening parenthesis.
++ *
++ * Combining parenthesis handling with the base level of regular expression
++ * is a trifle forced, but the need to tie the tails of the branches to what
++ * follows makes it hard to avoid.
++ */
++static char *
++reg(struct match_globals *g, int paren, int *flagp /* Parenthesized? */ )
++{
++ register char *ret;
++ register char *br;
++ register char *ender;
++ register int parno = 0; /* 0 makes gcc happy */
++ int flags;
++
++ *flagp = HASWIDTH; /* Tentatively. */
++
++ /* Make an OPEN node, if parenthesized. */
++ if (paren) {
++ if (g->regnpar >= NSUBEXP)
++ FAIL("too many ()");
++ parno = g->regnpar;
++ g->regnpar++;
++ ret = regnode(g, OPEN+parno);
++ } else
++ ret = NULL;
++
++ /* Pick up the branches, linking them together. */
++ br = regbranch(g, &flags);
++ if (br == NULL)
++ return(NULL);
++ if (ret != NULL)
++ regtail(g, ret, br); /* OPEN -> first. */
++ else
++ ret = br;
++ if (!(flags&HASWIDTH))
++ *flagp &= ~HASWIDTH;
++ *flagp |= flags&SPSTART;
++ while (*g->regparse == '|') {
++ g->regparse++;
++ br = regbranch(g, &flags);
++ if (br == NULL)
++ return(NULL);
++ regtail(g, ret, br); /* BRANCH -> BRANCH. */
++ if (!(flags&HASWIDTH))
++ *flagp &= ~HASWIDTH;
++ *flagp |= flags&SPSTART;
++ }
++
++ /* Make a closing node, and hook it on the end. */
++ ender = regnode(g, (paren) ? CLOSE+parno : END);
++ regtail(g, ret, ender);
++
++ /* Hook the tails of the branches to the closing node. */
++ for (br = ret; br != NULL; br = regnext(g, br))
++ regoptail(g, br, ender);
++
++ /* Check for proper termination. */
++ if (paren && *g->regparse++ != ')') {
++ FAIL("unmatched ()");
++ } else if (!paren && *g->regparse != '\0') {
++ if (*g->regparse == ')') {
++ FAIL("unmatched ()");
++ } else
++ FAIL("junk on end"); /* "Can't happen". */
++ /* NOTREACHED */
++ }
++
++ return(ret);
++}
++
++/*
++ - regbranch - one alternative of an | operator
++ *
++ * Implements the concatenation operator.
++ */
++static char *
++regbranch(struct match_globals *g, int *flagp)
++{
++ register char *ret;
++ register char *chain;
++ register char *latest;
++ int flags;
++
++ *flagp = WORST; /* Tentatively. */
++
++ ret = regnode(g, BRANCH);
++ chain = NULL;
++ while (*g->regparse != '\0' && *g->regparse != '|' && *g->regparse != ')') {
++ latest = regpiece(g, &flags);
++ if (latest == NULL)
++ return(NULL);
++ *flagp |= flags&HASWIDTH;
++ if (chain == NULL) /* First piece. */
++ *flagp |= flags&SPSTART;
++ else
++ regtail(g, chain, latest);
++ chain = latest;
++ }
++ if (chain == NULL) /* Loop ran zero times. */
++ (void) regnode(g, NOTHING);
++
++ return(ret);
++}
++
++/*
++ - regpiece - something followed by possible [*+?]
++ *
++ * Note that the branching code sequences used for ? and the general cases
++ * of * and + are somewhat optimized: they use the same NOTHING node as
++ * both the endmarker for their branch list and the body of the last branch.
++ * It might seem that this node could be dispensed with entirely, but the
++ * endmarker role is not redundant.
++ */
++static char *
++regpiece(struct match_globals *g, int *flagp)
++{
++ register char *ret;
++ register char op;
++ register char *next;
++ int flags;
++
++ ret = regatom(g, &flags);
++ if (ret == NULL)
++ return(NULL);
++
++ op = *g->regparse;
++ if (!ISMULT(op)) {
++ *flagp = flags;
++ return(ret);
++ }
++
++ if (!(flags&HASWIDTH) && op != '?')
++ FAIL("*+ operand could be empty");
++ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH);
++
++ if (op == '*' && (flags&SIMPLE))
++ reginsert(g, STAR, ret);
++ else if (op == '*') {
++ /* Emit x* as (x&|), where & means "self". */
++ reginsert(g, BRANCH, ret); /* Either x */
++ regoptail(g, ret, regnode(g, BACK)); /* and loop */
++ regoptail(g, ret, ret); /* back */
++ regtail(g, ret, regnode(g, BRANCH)); /* or */
++ regtail(g, ret, regnode(g, NOTHING)); /* null. */
++ } else if (op == '+' && (flags&SIMPLE))
++ reginsert(g, PLUS, ret);
++ else if (op == '+') {
++ /* Emit x+ as x(&|), where & means "self". */
++ next = regnode(g, BRANCH); /* Either */
++ regtail(g, ret, next);
++ regtail(g, regnode(g, BACK), ret); /* loop back */
++ regtail(g, next, regnode(g, BRANCH)); /* or */
++ regtail(g, ret, regnode(g, NOTHING)); /* null. */
++ } else if (op == '?') {
++ /* Emit x? as (x|) */
++ reginsert(g, BRANCH, ret); /* Either x */
++ regtail(g, ret, regnode(g, BRANCH)); /* or */
++ next = regnode(g, NOTHING); /* null. */
++ regtail(g, ret, next);
++ regoptail(g, ret, next);
++ }
++ g->regparse++;
++ if (ISMULT(*g->regparse))
++ FAIL("nested *?+");
++
++ return(ret);
++}
++
++/*
++ - regatom - the lowest level
++ *
++ * Optimization: gobbles an entire sequence of ordinary characters so that
++ * it can turn them into a single node, which is smaller to store and
++ * faster to run. Backslashed characters are exceptions, each becoming a
++ * separate node; the code is simpler that way and it's not worth fixing.
++ */
++static char *
++regatom(struct match_globals *g, int *flagp)
++{
++ register char *ret;
++ int flags;
++
++ *flagp = WORST; /* Tentatively. */
++
++ switch (*g->regparse++) {
++ case '^':
++ ret = regnode(g, BOL);
++ break;
++ case '$':
++ ret = regnode(g, EOL);
++ break;
++ case '.':
++ ret = regnode(g, ANY);
++ *flagp |= HASWIDTH|SIMPLE;
++ break;
++ case '[': {
++ register int class;
++ register int classend;
++
++ if (*g->regparse == '^') { /* Complement of range. */
++ ret = regnode(g, ANYBUT);
++ g->regparse++;
++ } else
++ ret = regnode(g, ANYOF);
++ if (*g->regparse == ']' || *g->regparse == '-')
++ regc(g, *g->regparse++);
++ while (*g->regparse != '\0' && *g->regparse != ']') {
++ if (*g->regparse == '-') {
++ g->regparse++;
++ if (*g->regparse == ']' || *g->regparse == '\0')
++ regc(g, '-');
++ else {
++ class = UCHARAT(g->regparse-2)+1;
++ classend = UCHARAT(g->regparse);
++ if (class > classend+1)
++ FAIL("invalid [] range");
++ for (; class <= classend; class++)
++ regc(g, class);
++ g->regparse++;
++ }
++ } else
++ regc(g, *g->regparse++);
++ }
++ regc(g, '\0');
++ if (*g->regparse != ']')
++ FAIL("unmatched []");
++ g->regparse++;
++ *flagp |= HASWIDTH|SIMPLE;
++ }
++ break;
++ case '(':
++ ret = reg(g, 1, &flags);
++ if (ret == NULL)
++ return(NULL);
++ *flagp |= flags&(HASWIDTH|SPSTART);
++ break;
++ case '\0':
++ case '|':
++ case ')':
++ FAIL("internal urp"); /* Supposed to be caught earlier. */
++ break;
++ case '?':
++ case '+':
++ case '*':
++ FAIL("?+* follows nothing");
++ break;
++ case '\\':
++ if (*g->regparse == '\0')
++ FAIL("trailing \\");
++ ret = regnode(g, EXACTLY);
++ regc(g, *g->regparse++);
++ regc(g, '\0');
++ *flagp |= HASWIDTH|SIMPLE;
++ break;
++ default: {
++ register int len;
++ register char ender;
++
++ g->regparse--;
++ len = my_strcspn((const char *)g->regparse, (const char *)META);
++ if (len <= 0)
++ FAIL("internal disaster");
++ ender = *(g->regparse+len);
++ if (len > 1 && ISMULT(ender))
++ len--; /* Back off clear of ?+* operand. */
++ *flagp |= HASWIDTH;
++ if (len == 1)
++ *flagp |= SIMPLE;
++ ret = regnode(g, EXACTLY);
++ while (len > 0) {
++ regc(g, *g->regparse++);
++ len--;
++ }
++ regc(g, '\0');
++ }
++ break;
++ }
++
++ return(ret);
++}
++
++/*
++ - regnode - emit a node
++ */
++static char * /* Location. */
++regnode(struct match_globals *g, char op)
++{
++ register char *ret;
++ register char *ptr;
++
++ ret = g->regcode;
++ if (ret == &g->regdummy) {
++ g->regsize += 3;
++ return(ret);
++ }
++
++ ptr = ret;
++ *ptr++ = op;
++ *ptr++ = '\0'; /* Null "next" pointer. */
++ *ptr++ = '\0';
++ g->regcode = ptr;
++
++ return(ret);
++}
++
++/*
++ - regc - emit (if appropriate) a byte of code
++ */
++static void
++regc(struct match_globals *g, char b)
++{
++ if (g->regcode != &g->regdummy)
++ *g->regcode++ = b;
++ else
++ g->regsize++;
++}
++
++/*
++ - reginsert - insert an operator in front of already-emitted operand
++ *
++ * Means relocating the operand.
++ */
++static void
++reginsert(struct match_globals *g, char op, char* opnd)
++{
++ register char *src;
++ register char *dst;
++ register char *place;
++
++ if (g->regcode == &g->regdummy) {
++ g->regsize += 3;
++ return;
++ }
++
++ src = g->regcode;
++ g->regcode += 3;
++ dst = g->regcode;
++ while (src > opnd)
++ *--dst = *--src;
++
++ place = opnd; /* Op node, where operand used to be. */
++ *place++ = op;
++ *place++ = '\0';
++ *place++ = '\0';
++}
++
++/*
++ - regtail - set the next-pointer at the end of a node chain
++ */
++static void
++regtail(struct match_globals *g, char *p, char *val)
++{
++ register char *scan;
++ register char *temp;
++ register int offset;
++
++ if (p == &g->regdummy)
++ return;
++
++ /* Find last node. */
++ scan = p;
++ for (;;) {
++ temp = regnext(g, scan);
++ if (temp == NULL)
++ break;
++ scan = temp;
++ }
++
++ if (OP(scan) == BACK)
++ offset = scan - val;
++ else
++ offset = val - scan;
++ *(scan+1) = (offset>>8)&0377;
++ *(scan+2) = offset&0377;
++}
++
++/*
++ - regoptail - regtail on operand of first argument; nop if operandless
++ */
++static void
++regoptail(struct match_globals *g, char *p, char *val)
++{
++ /* "Operandless" and "op != BRANCH" are synonymous in practice. */
++ if (p == NULL || p == &g->regdummy || OP(p) != BRANCH)
++ return;
++ regtail(g, OPERAND(p), val);
++}
++
++/*
++ * regexec and friends
++ */
++
++
++/*
++ * Forwards.
++ */
++STATIC int regtry(struct match_globals *g, regexp *prog, char *string);
++STATIC int regmatch(struct match_globals *g, char *prog);
++STATIC int regrepeat(struct match_globals *g, char *p);
++
++#ifdef DEBUG
++int regnarrate = 0;
++void regdump();
++STATIC char *regprop(char *op);
++#endif
++
++/*
++ - regexec - match a regexp against a string
++ */
++int
++regexec(regexp *prog, char *string)
++{
++ register char *s;
++ struct match_globals g;
++
++ /* Be paranoid... */
++ if (prog == NULL || string == NULL) {
++ printk("<3>Regexp: NULL parameter\n");
++ return(0);
++ }
++
++ /* Check validity of program. */
++ if (UCHARAT(prog->program) != MAGIC) {
++ printk("<3>Regexp: corrupted program\n");
++ return(0);
++ }
++
++ /* If there is a "must appear" string, look for it. */
++ if (prog->regmust != NULL) {
++ s = string;
++ while ((s = strchr(s, prog->regmust[0])) != NULL) {
++ if (strncmp(s, prog->regmust, prog->regmlen) == 0)
++ break; /* Found it. */
++ s++;
++ }
++ if (s == NULL) /* Not present. */
++ return(0);
++ }
++
++ /* Mark beginning of line for ^ . */
++ g.regbol = string;
++
++ /* Simplest case: anchored match need be tried only once. */
++ if (prog->reganch)
++ return(regtry(&g, prog, string));
++
++ /* Messy cases: unanchored match. */
++ s = string;
++ if (prog->regstart != '\0')
++ /* We know what char it must start with. */
++ while ((s = strchr(s, prog->regstart)) != NULL) {
++ if (regtry(&g, prog, s))
++ return(1);
++ s++;
++ }
++ else
++ /* We don't -- general case. */
++ do {
++ if (regtry(&g, prog, s))
++ return(1);
++ } while (*s++ != '\0');
++
++ /* Failure. */
++ return(0);
++}
++
++/*
++ - regtry - try match at specific point
++ */
++static int /* 0 failure, 1 success */
++regtry(struct match_globals *g, regexp *prog, char *string)
++{
++ register int i;
++ register char **sp;
++ register char **ep;
++
++ g->reginput = string;
++ g->regstartp = prog->startp;
++ g->regendp = prog->endp;
++
++ sp = prog->startp;
++ ep = prog->endp;
++ for (i = NSUBEXP; i > 0; i--) {
++ *sp++ = NULL;
++ *ep++ = NULL;
++ }
++ if (regmatch(g, prog->program + 1)) {
++ prog->startp[0] = string;
++ prog->endp[0] = g->reginput;
++ return(1);
++ } else
++ return(0);
++}
++
++/*
++ - regmatch - main matching routine
++ *
++ * Conceptually the strategy is simple: check to see whether the current
++ * node matches, call self recursively to see whether the rest matches,
++ * and then act accordingly. In practice we make some effort to avoid
++ * recursion, in particular by going through "ordinary" nodes (that don't
++ * need to know whether the rest of the match failed) by a loop instead of
++ * by recursion.
++ */
++static int /* 0 failure, 1 success */
++regmatch(struct match_globals *g, char *prog)
++{
++ register char *scan = prog; /* Current node. */
++ char *next; /* Next node. */
++
++#ifdef DEBUG
++ if (scan != NULL && regnarrate)
++ fprintf(stderr, "%s(\n", regprop(scan));
++#endif
++ while (scan != NULL) {
++#ifdef DEBUG
++ if (regnarrate)
++ fprintf(stderr, "%s...\n", regprop(scan));
++#endif
++ next = regnext(g, scan);
++
++ switch (OP(scan)) {
++ case BOL:
++ if (g->reginput != g->regbol)
++ return(0);
++ break;
++ case EOL:
++ if (*g->reginput != '\0')
++ return(0);
++ break;
++ case ANY:
++ if (*g->reginput == '\0')
++ return(0);
++ g->reginput++;
++ break;
++ case EXACTLY: {
++ register int len;
++ register char *opnd;
++
++ opnd = OPERAND(scan);
++ /* Inline the first character, for speed. */
++ if (*opnd != *g->reginput)
++ return(0);
++ len = strlen(opnd);
++ if (len > 1 && strncmp(opnd, g->reginput, len) != 0)
++ return(0);
++ g->reginput += len;
++ }
++ break;
++ case ANYOF:
++ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) == NULL)
++ return(0);
++ g->reginput++;
++ break;
++ case ANYBUT:
++ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) != NULL)
++ return(0);
++ g->reginput++;
++ break;
++ case NOTHING:
++ case BACK:
++ break;
++ case OPEN+1:
++ case OPEN+2:
++ case OPEN+3:
++ case OPEN+4:
++ case OPEN+5:
++ case OPEN+6:
++ case OPEN+7:
++ case OPEN+8:
++ case OPEN+9: {
++ register int no;
++ register char *save;
++
++ no = OP(scan) - OPEN;
++ save = g->reginput;
++
++ if (regmatch(g, next)) {
++ /*
++ * Don't set startp if some later
++ * invocation of the same parentheses
++ * already has.
++ */
++ if (g->regstartp[no] == NULL)
++ g->regstartp[no] = save;
++ return(1);
++ } else
++ return(0);
++ }
++ break;
++ case CLOSE+1:
++ case CLOSE+2:
++ case CLOSE+3:
++ case CLOSE+4:
++ case CLOSE+5:
++ case CLOSE+6:
++ case CLOSE+7:
++ case CLOSE+8:
++ case CLOSE+9:
++ {
++ register int no;
++ register char *save;
++
++ no = OP(scan) - CLOSE;
++ save = g->reginput;
++
++ if (regmatch(g, next)) {
++ /*
++ * Don't set endp if some later
++ * invocation of the same parentheses
++ * already has.
++ */
++ if (g->regendp[no] == NULL)
++ g->regendp[no] = save;
++ return(1);
++ } else
++ return(0);
++ }
++ break;
++ case BRANCH: {
++ register char *save;
++
++ if (OP(next) != BRANCH) /* No choice. */
++ next = OPERAND(scan); /* Avoid recursion. */
++ else {
++ do {
++ save = g->reginput;
++ if (regmatch(g, OPERAND(scan)))
++ return(1);
++ g->reginput = save;
++ scan = regnext(g, scan);
++ } while (scan != NULL && OP(scan) == BRANCH);
++ return(0);
++ /* NOTREACHED */
++ }
++ }
++ break;
++ case STAR:
++ case PLUS: {
++ register char nextch;
++ register int no;
++ register char *save;
++ register int min;
++
++ /*
++ * Lookahead to avoid useless match attempts
++ * when we know what character comes next.
++ */
++ nextch = '\0';
++ if (OP(next) == EXACTLY)
++ nextch = *OPERAND(next);
++ min = (OP(scan) == STAR) ? 0 : 1;
++ save = g->reginput;
++ no = regrepeat(g, OPERAND(scan));
++ while (no >= min) {
++ /* If it could work, try it. */
++ if (nextch == '\0' || *g->reginput == nextch)
++ if (regmatch(g, next))
++ return(1);
++ /* Couldn't or didn't -- back up. */
++ no--;
++ g->reginput = save + no;
++ }
++ return(0);
++ }
++ break;
++ case END:
++ return(1); /* Success! */
++ break;
++ default:
++ printk("<3>Regexp: memory corruption\n");
++ return(0);
++ break;
++ }
++
++ scan = next;
++ }
++
++ /*
++ * We get here only if there's trouble -- normally "case END" is
++ * the terminating point.
++ */
++ printk("<3>Regexp: corrupted pointers\n");
++ return(0);
++}
++
++/*
++ - regrepeat - repeatedly match something simple, report how many
++ */
++static int
++regrepeat(struct match_globals *g, char *p)
++{
++ register int count = 0;
++ register char *scan;
++ register char *opnd;
++
++ scan = g->reginput;
++ opnd = OPERAND(p);
++ switch (OP(p)) {
++ case ANY:
++ count = strlen(scan);
++ scan += count;
++ break;
++ case EXACTLY:
++ while (*opnd == *scan) {
++ count++;
++ scan++;
++ }
++ break;
++ case ANYOF:
++ while (*scan != '\0' && strchr(opnd, *scan) != NULL) {
++ count++;
++ scan++;
++ }
++ break;
++ case ANYBUT:
++ while (*scan != '\0' && strchr(opnd, *scan) == NULL) {
++ count++;
++ scan++;
++ }
++ break;
++ default: /* Oh dear. Called inappropriately. */
++ printk("<3>Regexp: internal foulup\n");
++ count = 0; /* Best compromise. */
++ break;
++ }
++ g->reginput = scan;
++
++ return(count);
++}
++
++/*
++ - regnext - dig the "next" pointer out of a node
++ */
++static char*
++regnext(struct match_globals *g, char *p)
++{
++ register int offset;
++
++ if (p == &g->regdummy)
++ return(NULL);
++
++ offset = NEXT(p);
++ if (offset == 0)
++ return(NULL);
++
++ if (OP(p) == BACK)
++ return(p-offset);
++ else
++ return(p+offset);
++}
++
++#ifdef DEBUG
++
++STATIC char *regprop();
++
++/*
++ - regdump - dump a regexp onto stdout in vaguely comprehensible form
++ */
++void
++regdump(regexp *r)
++{
++ register char *s;
++ register char op = EXACTLY; /* Arbitrary non-END op. */
++ register char *next;
++ /* extern char *strchr(); */
++
++
++ s = r->program + 1;
++ while (op != END) { /* While that wasn't END last time... */
++ op = OP(s);
++ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */
++ next = regnext(s);
++ if (next == NULL) /* Next ptr. */
++ printf("(0)");
++ else
++ printf("(%d)", (s-r->program)+(next-s));
++ s += 3;
++ if (op == ANYOF || op == ANYBUT || op == EXACTLY) {
++ /* Literal string, where present. */
++ while (*s != '\0') {
++ putchar(*s);
++ s++;
++ }
++ s++;
++ }
++ putchar('\n');
++ }
++
++ /* Header fields of interest. */
++ if (r->regstart != '\0')
++ printf("start `%c' ", r->regstart);
++ if (r->reganch)
++ printf("anchored ");
++ if (r->regmust != NULL)
++ printf("must have \"%s\"", r->regmust);
++ printf("\n");
++}
++
++/*
++ - regprop - printable representation of opcode
++ */
++static char *
++regprop(char *op)
++{
++#define BUFLEN 50
++ register char *p;
++ static char buf[BUFLEN];
++
++ strcpy(buf, ":");
++
++ switch (OP(op)) {
++ case BOL:
++ p = "BOL";
++ break;
++ case EOL:
++ p = "EOL";
++ break;
++ case ANY:
++ p = "ANY";
++ break;
++ case ANYOF:
++ p = "ANYOF";
++ break;
++ case ANYBUT:
++ p = "ANYBUT";
++ break;
++ case BRANCH:
++ p = "BRANCH";
++ break;
++ case EXACTLY:
++ p = "EXACTLY";
++ break;
++ case NOTHING:
++ p = "NOTHING";
++ break;
++ case BACK:
++ p = "BACK";
++ break;
++ case END:
++ p = "END";
++ break;
++ case OPEN+1:
++ case OPEN+2:
++ case OPEN+3:
++ case OPEN+4:
++ case OPEN+5:
++ case OPEN+6:
++ case OPEN+7:
++ case OPEN+8:
++ case OPEN+9:
++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN);
++ p = NULL;
++ break;
++ case CLOSE+1:
++ case CLOSE+2:
++ case CLOSE+3:
++ case CLOSE+4:
++ case CLOSE+5:
++ case CLOSE+6:
++ case CLOSE+7:
++ case CLOSE+8:
++ case CLOSE+9:
++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE);
++ p = NULL;
++ break;
++ case STAR:
++ p = "STAR";
++ break;
++ case PLUS:
++ p = "PLUS";
++ break;
++ default:
++ printk("<3>Regexp: corrupted opcode\n");
++ break;
++ }
++ if (p != NULL)
++ strncat(buf, p, BUFLEN-strlen(buf));
++ return(buf);
++}
++#endif
++
++
+Index: linux-2.6.22.18/net/netfilter/regexp/regexp.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/regexp/regexp.h
+@@ -0,0 +1,41 @@
++/*
++ * Definitions etc. for regexp(3) routines.
++ *
++ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof],
++ * not the System V one.
++ */
++
++#ifndef REGEXP_H
++#define REGEXP_H
++
++
++/*
++http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h ,
++which contains a version of this library, says:
++
++ *
++ * NSUBEXP must be at least 10, and no greater than 117 or the parser
++ * will not work properly.
++ *
++
++However, it looks rather like this library is limited to 10. If you think
++otherwise, let us know.
++*/
++
++#define NSUBEXP 10
++typedef struct regexp {
++ char *startp[NSUBEXP];
++ char *endp[NSUBEXP];
++ char regstart; /* Internal use only. */
++ char reganch; /* Internal use only. */
++ char *regmust; /* Internal use only. */
++ int regmlen; /* Internal use only. */
++ char program[1]; /* Unwarranted chumminess with compiler. */
++} regexp;
++
++regexp * regcomp(char *exp, int *patternsize);
++int regexec(regexp *prog, char *string);
++void regsub(regexp *prog, char *source, char *dest);
++void regerror(char *s);
++
++#endif
+Index: linux-2.6.22.18/net/netfilter/regexp/regmagic.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/regexp/regmagic.h
+@@ -0,0 +1,5 @@
++/*
++ * The first byte of the regexp internal "program" is actually this magic
++ * number; the start node begins in the second byte.
++ */
++#define MAGIC 0234
+Index: linux-2.6.22.18/net/netfilter/regexp/regsub.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/regexp/regsub.c
+@@ -0,0 +1,95 @@
++/*
++ * regsub
++ * @(#)regsub.c 1.3 of 2 April 86
++ *
++ * Copyright (c) 1986 by University of Toronto.
++ * Written by Henry Spencer. Not derived from licensed software.
++ *
++ * Permission is granted to anyone to use this software for any
++ * purpose on any computer system, and to redistribute it freely,
++ * subject to the following restrictions:
++ *
++ * 1. The author is not responsible for the consequences of use of
++ * this software, no matter how awful, even if they arise
++ * from defects in it.
++ *
++ * 2. The origin of this software must not be misrepresented, either
++ * by explicit claim or by omission.
++ *
++ * 3. Altered versions must be plainly marked as such, and must not
++ * be misrepresented as being the original software.
++ *
++ *
++ * This code was modified by Ethan Sommer to work within the kernel
++ * (it now uses kmalloc etc..)
++ *
++ */
++#include "regexp.h"
++#include "regmagic.h"
++#include <linux/string.h>
++
++
++#ifndef CHARBITS
++#define UCHARAT(p) ((int)*(unsigned char *)(p))
++#else
++#define UCHARAT(p) ((int)*(p)&CHARBITS)
++#endif
++
++#if 0
++//void regerror(char * s)
++//{
++// printk("regexp(3): %s", s);
++// /* NOTREACHED */
++//}
++#endif
++
++/*
++ - regsub - perform substitutions after a regexp match
++ */
++void
++regsub(regexp * prog, char * source, char * dest)
++{
++ register char *src;
++ register char *dst;
++ register char c;
++ register int no;
++ register int len;
++
++ /* Not necessary and gcc doesn't like it -MLS */
++ /*extern char *strncpy();*/
++
++ if (prog == NULL || source == NULL || dest == NULL) {
++ regerror("NULL parm to regsub");
++ return;
++ }
++ if (UCHARAT(prog->program) != MAGIC) {
++ regerror("damaged regexp fed to regsub");
++ return;
++ }
++
++ src = source;
++ dst = dest;
++ while ((c = *src++) != '\0') {
++ if (c == '&')
++ no = 0;
++ else if (c == '\\' && '0' <= *src && *src <= '9')
++ no = *src++ - '0';
++ else
++ no = -1;
++
++ if (no < 0) { /* Ordinary character. */
++ if (c == '\\' && (*src == '\\' || *src == '&'))
++ c = *src++;
++ *dst++ = c;
++ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) {
++ len = prog->endp[no] - prog->startp[no];
++ (void) strncpy(dst, prog->startp[no], len);
++ dst += len;
++ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */
++ regerror("damaged match string");
++ return;
++ }
++ }
++ }
++ *dst++ = '\0';
++}
+Index: linux-2.6.22.18/net/netfilter/nf_conntrack_core.c
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/nf_conntrack_core.c
++++ linux-2.6.22.18/net/netfilter/nf_conntrack_core.c
+@@ -330,6 +330,14 @@ destroy_conntrack(struct nf_conntrack *n
+ * too. */
+ nf_ct_remove_expectations(ct);
+
++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(ct->layer7.app_proto)
++ kfree(ct->layer7.app_proto);
++ if(ct->layer7.app_data)
++ kfree(ct->layer7.app_data);
++ #endif
++
++
+ /* We overload first tuple to link into unconfirmed list. */
+ if (!nf_ct_is_confirmed(ct)) {
+ BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
+Index: linux-2.6.22.18/net/netfilter/nf_conntrack_standalone.c
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/nf_conntrack_standalone.c
++++ linux-2.6.22.18/net/netfilter/nf_conntrack_standalone.c
+@@ -184,7 +184,12 @@ static int ct_seq_show(struct seq_file *
+ return -ENOSPC;
+ #endif
+
+- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(conntrack->layer7.app_proto)
++ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto))
++ return -ENOSPC;
++#endif
++ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use)))
+ return -ENOSPC;
+
+ return 0;
+Index: linux-2.6.22.18/include/net/netfilter/nf_conntrack.h
+===================================================================
+--- linux-2.6.22.18.orig/include/net/netfilter/nf_conntrack.h
++++ linux-2.6.22.18/include/net/netfilter/nf_conntrack.h
+@@ -128,6 +128,22 @@ struct nf_conn
+ u_int32_t secmark;
+ #endif
+
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ struct {
++ /*
++ * e.g. "http". NULL before decision. "unknown" after decision
++ * if no match.
++ */
++ char *app_proto;
++ /*
++ * application layer data so far. NULL after match decision.
++ */
++ char *app_data;
++ unsigned int app_data_len;
++ } layer7;
++#endif
++
+ /* Storage reserved for other modules: */
+ union nf_conntrack_proto proto;
+
+Index: linux-2.6.22.18/include/linux/netfilter/xt_layer7.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/xt_layer7.h
+@@ -0,0 +1,13 @@
++#ifndef _XT_LAYER7_H
++#define _XT_LAYER7_H
++
++#define MAX_PATTERN_LEN 8192
++#define MAX_PROTOCOL_LEN 256
++
++struct xt_layer7_info {
++ char protocol[MAX_PROTOCOL_LEN];
++ char pattern[MAX_PATTERN_LEN];
++ u_int8_t invert;
++};
++
++#endif /* _XT_LAYER7_H */
+++ /dev/null
-Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:43:29.440242750 +0200
-@@ -0,0 +1,26 @@
-+/*
-+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#ifndef _IPT_LAYER7_H
-+#define _IPT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
-+
-+typedef char *(*proc_ipt_search) (char *, char, char *);
-+
-+struct ipt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
-+ char pattern[MAX_PATTERN_LEN];
-+};
-+
-+#endif /* _IPT_LAYER7_H */
-Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c
-===================================================================
---- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:21.833537750 +0200
-+++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:23.497641750 +0200
-@@ -330,6 +330,13 @@
- * too. */
- nf_ct_remove_expectations(ct);
-
-+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(ct->layer7.app_proto)
-+ kfree(ct->layer7.app_proto);
-+ if(ct->layer7.app_data)
-+ kfree(ct->layer7.app_data);
-+ #endif
-+
- /* We overload first tuple to link into unconfirmed list. */
- if (!nf_ct_is_confirmed(ct)) {
- BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c
-===================================================================
---- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:21.845538500 +0200
-+++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:23.521643250 +0200
-@@ -184,6 +184,12 @@
- return -ENOSPC;
- #endif
-
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(conntrack->layer7.app_proto)
-+ if (seq_printf(s, "l7proto=%s ",conntrack->layer7.app_proto))
-+ return 1;
-+#endif
-+
- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
- return -ENOSPC;
-
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:43:44.341174000 +0200
-@@ -0,0 +1,583 @@
-+/*
-+ Kernel module to match application layer (OSI layer 7) data in connections.
-+
-+ http://l7-filter.sf.net
-+
-+ By Matthew Strait and Ethan Sommer, 2003-2006.
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+
-+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
-+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
-+
-+ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack
-+*/
-+
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/proc_fs.h>
-+#include <linux/ctype.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/netfilter/nf_conntrack.h>
-+#include <net/netfilter/nf_nat_rule.h>
-+#include <linux/spinlock.h>
-+
-+#include "regexp/regexp.c"
-+
-+#include <linux/netfilter_ipv4/ipt_layer7.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+
-+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
-+MODULE_LICENSE("GPL");
-+MODULE_DESCRIPTION("iptables application layer match module");
-+MODULE_VERSION("2.0");
-+
-+static int maxdatalen = 2048; // this is the default
-+module_param(maxdatalen, int, 0444);
-+MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
-+
-+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+ #define DPRINTK(format,args...) printk(format,##args)
-+#else
-+ #define DPRINTK(format,args...)
-+#endif
-+
-+#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
-+ master_conntrack->counters[IP_CT_DIR_REPLY].packets
-+
-+/* Number of packets whose data we look at.
-+This can be modified through /proc/net/layer7_numpackets */
-+static int num_packets = 10;
-+
-+static struct pattern_cache {
-+ char * regex_string;
-+ regexp * pattern;
-+ struct pattern_cache * next;
-+} * first_pattern_cache = NULL;
-+
-+/* I'm new to locking. Here are my assumptions:
-+
-+- No one will write to /proc/net/layer7_numpackets over and over very fast;
-+ if they did, nothing awful would happen.
-+
-+- This code will never be processing the same packet twice at the same time,
-+ because iptables rules are traversed in order.
-+
-+- It doesn't matter if two packets from different connections are in here at
-+ the same time, because they don't share any data.
-+
-+- It _does_ matter if two packets from the same connection (or one from a
-+ master and one from its child) are here at the same time. In this case,
-+ we have to protect the conntracks and the list of compiled patterns.
-+*/
-+DEFINE_RWLOCK(ct_lock);
-+DEFINE_SPINLOCK(list_lock);
-+
-+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+/* Converts an unfriendly string into a friendly one by
-+replacing unprintables with periods and all whitespace with " ". */
-+static char * friendly_print(unsigned char * s)
-+{
-+ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
-+ int i;
-+
-+ if(!f) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n");
-+ return NULL;
-+ }
-+
-+ for(i = 0; i < strlen(s); i++){
-+ if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
-+ else if(isspace(s[i])) f[i] = ' ';
-+ else f[i] = '.';
-+ }
-+ f[i] = '\0';
-+ return f;
-+}
-+
-+static char dec2hex(int i)
-+{
-+ switch (i) {
-+ case 0 ... 9:
-+ return (char)(i + '0');
-+ break;
-+ case 10 ... 15:
-+ return (char)(i - 10 + 'a');
-+ break;
-+ default:
-+ if (net_ratelimit())
-+ printk("Problem in dec2hex\n");
-+ return '\0';
-+ }
-+}
-+
-+static char * hex_print(unsigned char * s)
-+{
-+ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
-+ int i;
-+
-+ if(!g) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n");
-+ return NULL;
-+ }
-+
-+ for(i = 0; i < strlen(s); i++) {
-+ g[i*3 ] = dec2hex(s[i]/16);
-+ g[i*3 + 1] = dec2hex(s[i]%16);
-+ g[i*3 + 2] = ' ';
-+ }
-+ g[i*3] = '\0';
-+
-+ return g;
-+}
-+#endif // DEBUG
-+
-+/* Use instead of regcomp. As we expect to be seeing the same regexps over and
-+over again, it make sense to cache the results. */
-+static regexp * compile_and_cache(char * regex_string, char * protocol)
-+{
-+ struct pattern_cache * node = first_pattern_cache;
-+ struct pattern_cache * last_pattern_cache = first_pattern_cache;
-+ struct pattern_cache * tmp;
-+ unsigned int len;
-+
-+ while (node != NULL) {
-+ if (!strcmp(node->regex_string, regex_string))
-+ return node->pattern;
-+
-+ last_pattern_cache = node;/* points at the last non-NULL node */
-+ node = node->next;
-+ }
-+
-+ /* If we reach the end of the list, then we have not yet cached
-+ the pattern for this regex. Let's do that now.
-+ Be paranoid about running out of memory to avoid list corruption. */
-+ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
-+
-+ if(!tmp) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
-+ return NULL;
-+ }
-+
-+ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
-+ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
-+ tmp->next = NULL;
-+
-+ if(!tmp->regex_string || !tmp->pattern) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
-+ kfree(tmp->regex_string);
-+ kfree(tmp->pattern);
-+ kfree(tmp);
-+ return NULL;
-+ }
-+
-+ /* Ok. The new node is all ready now. */
-+ node = tmp;
-+
-+ if(first_pattern_cache == NULL) /* list is empty */
-+ first_pattern_cache = node; /* make node the beginning */
-+ else
-+ last_pattern_cache->next = node; /* attach node to the end */
-+
-+ /* copy the string and compile the regex */
-+ len = strlen(regex_string);
-+ DPRINTK("About to compile this: \"%s\"\n", regex_string);
-+ node->pattern = regcomp(regex_string, &len);
-+ if ( !node->pattern ) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol);
-+ /* pattern is now cached as NULL, so we won't try again. */
-+ }
-+
-+ strcpy(node->regex_string, regex_string);
-+ return node->pattern;
-+}
-+
-+static int can_handle(const struct sk_buff *skb)
-+{
-+ if(!ip_hdr(skb)) /* not IP */
-+ return 0;
-+ if(ip_hdr(skb)->protocol != IPPROTO_TCP &&
-+ ip_hdr(skb)->protocol != IPPROTO_UDP &&
-+ ip_hdr(skb)->protocol != IPPROTO_ICMP)
-+ return 0;
-+ return 1;
-+}
-+
-+/* Returns offset the into the skb->data that the application data starts */
-+static int app_data_offset(const struct sk_buff *skb)
-+{
-+ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
-+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
-+ int ip_hl = 4*ip_hdr(skb)->ihl;
-+
-+ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
-+ /* 12 == offset into TCP header for the header length field.
-+ Can't get this with skb->h.th->doff because the tcphdr
-+ struct doesn't get set when routing (this is confirmed to be
-+ true in Netfilter as well as QoS.) */
-+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
-+
-+ return ip_hl + tcp_hl;
-+ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) {
-+ return ip_hl + 8; /* UDP header is always 8 bytes */
-+ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) {
-+ return ip_hl + 8; /* ICMP header is 8 bytes */
-+ } else {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n");
-+ return ip_hl + 8; /* something reasonable */
-+ }
-+}
-+
-+/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack,
-+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
-+ struct ipt_layer7_info * info)
-+{
-+ /* If we're in here, throw the app data away */
-+ write_lock(&ct_lock);
-+ if(master_conntrack->layer7.app_data != NULL) {
-+
-+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+ if(!master_conntrack->layer7.app_proto) {
-+ char * f = friendly_print(master_conntrack->layer7.app_data);
-+ char * g = hex_print(master_conntrack->layer7.app_data);
-+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n",
-+ strlen(f), TOTAL_PACKETS, f);
-+ kfree(f);
-+ DPRINTK("In hex: %s\n", g);
-+ kfree(g);
-+ }
-+ #endif
-+
-+ kfree(master_conntrack->layer7.app_data);
-+ master_conntrack->layer7.app_data = NULL; /* don't free again */
-+ }
-+ write_unlock(&ct_lock);
-+
-+ if(master_conntrack->layer7.app_proto){
-+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */
-+ write_lock(&ct_lock);
-+ if(!conntrack->layer7.app_proto) {
-+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC);
-+ if(!conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
-+ return 1;
-+ }
-+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto);
-+ }
-+ write_unlock(&ct_lock);
-+
-+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol));
-+ }
-+ else {
-+ /* If not classified, set to "unknown" to distinguish from
-+ connections that are still being tested. */
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
-+ return 1;
-+ }
-+ strcpy(master_conntrack->layer7.app_proto, "unknown");
-+ write_unlock(&ct_lock);
-+ return 0;
-+ }
-+}
-+
-+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct nf_conn * master_conntrack,
-+ char * app_data, int appdatalen)
-+{
-+ int length = 0, i;
-+ int oldlength = master_conntrack->layer7.app_data_len;
-+
-+ // This is a fix for a race condition by Deti Fliegl. However, I'm not
-+ // clear on whether the race condition exists or whether this really
-+ // fixes it. I might just be being dense... Anyway, if it's not really
-+ // a fix, all it does is waste a very small amount of time.
-+ if(!master_conntrack->layer7.app_data) return 0;
-+
-+ /* Strip nulls. Make everything lower case (our regex lib doesn't
-+ do case insensitivity). Add it to the end of the current data. */
-+ for(i = 0; i < maxdatalen-oldlength-1 &&
-+ i < appdatalen; i++) {
-+ if(app_data[i] != '\0') {
-+ master_conntrack->layer7.app_data[length+oldlength] =
-+ /* the kernel version of tolower mungs 'upper ascii' */
-+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
-+ length++;
-+ }
-+ }
-+
-+ master_conntrack->layer7.app_data[length+oldlength] = '\0';
-+ master_conntrack->layer7.app_data_len = length + oldlength;
-+
-+ return length;
-+}
-+
-+/* Returns true on match and false otherwise. */
-+static int match(const struct sk_buff *skbin,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo,
-+ int offset, unsigned int protoff, int *hotdrop)
-+{
-+ /* sidestep const without getting a compiler warning... */
-+ struct sk_buff * skb = (struct sk_buff *)skbin;
-+
-+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
-+ enum ip_conntrack_info master_ctinfo, ctinfo;
-+ struct nf_conn *master_conntrack;
-+ struct nf_conn *conntrack;
-+ unsigned char * app_data;
-+ unsigned int pattern_result, appdatalen;
-+ regexp * comppattern;
-+
-+ if(!can_handle(skb)){
-+ DPRINTK("layer7: This is some protocol I can't handle.\n");
-+ return info->invert;
-+ }
-+
-+ /* Treat parent & all its children together as one connection, except
-+ for the purpose of setting conntrack->layer7.app_proto in the actual
-+ connection. This makes /proc/net/ip_conntrack more satisfying. */
-+ if(((conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) == NULL) ||
-+ ((master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) {
-+ return info->invert;
-+ }
-+
-+ /* Try to get a master conntrack (and its master etc) for FTP, etc. */
-+ while (master_ct(master_conntrack) != NULL)
-+ master_conntrack = master_ct(master_conntrack);
-+
-+ /* if we've classified it or seen too many packets */
-+ if(TOTAL_PACKETS > num_packets ||
-+ master_conntrack->layer7.app_proto) {
-+
-+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
-+
-+ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7
-+ rules. I'm not sure that using cb for this purpose is correct, even though
-+ it says "put your private variables there". But it doesn't look like it
-+ is being used for anything else in the skbs that make it here. */
-+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
-+
-+ return (pattern_result ^ info->invert);
-+ }
-+
-+ if(skb_is_nonlinear(skb)){
-+ if(skb_linearize(skb) != 0){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
-+ return info->invert;
-+ }
-+ }
-+
-+ /* now that the skb is linearized, it's safe to set these. */
-+ app_data = skb->data + app_data_offset(skb);
-+ appdatalen = skb->tail - app_data;
-+
-+ spin_lock_bh(&list_lock);
-+ /* the return value gets checked later, when we're ready to use it */
-+ comppattern = compile_and_cache(info->pattern, info->protocol);
-+ spin_unlock_bh(&list_lock);
-+
-+ /* On the first packet of a connection, allocate space for app data */
-+ write_lock(&ct_lock);
-+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
-+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_data){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ write_unlock(&ct_lock);
-+ return info->invert;
-+ }
-+
-+ master_conntrack->layer7.app_data[0] = '\0';
-+ }
-+ write_unlock(&ct_lock);
-+
-+ /* Can be here, but unallocated, if numpackets is increased near
-+ the beginning of a connection */
-+ if(master_conntrack->layer7.app_data == NULL)
-+ return (info->invert); /* unmatched */
-+
-+ if(!skb->cb[0]){
-+ int newbytes;
-+ write_lock(&ct_lock);
-+ newbytes = add_data(master_conntrack, app_data, appdatalen);
-+ write_unlock(&ct_lock);
-+
-+ if(newbytes == 0) { /* didn't add any data */
-+ skb->cb[0] = 1;
-+ /* Didn't match before, not going to match now */
-+ return info->invert;
-+ }
-+ }
-+
-+ /* If looking for "unknown", then never match. "Unknown" means that
-+ we've given up; we're still trying with these packets. */
-+ read_lock(&ct_lock);
-+ if(!strcmp(info->protocol, "unknown")) {
-+ pattern_result = 0;
-+ /* If looking for "unset", then always match. "Unset" means that we
-+ haven't yet classified the connection. */
-+ } else if(!strcmp(info->protocol, "unset")) {
-+ pattern_result = 2;
-+ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets);
-+ /* If the regexp failed to compile, don't bother running it */
-+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
-+ DPRINTK("layer7: matched %s\n", info->protocol);
-+ pattern_result = 1;
-+ } else pattern_result = 0;
-+ read_unlock(&ct_lock);
-+
-+ if(pattern_result == 1) {
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ write_unlock(&ct_lock);
-+ return (pattern_result ^ info->invert);
-+ }
-+ strcpy(master_conntrack->layer7.app_proto, info->protocol);
-+ write_unlock(&ct_lock);
-+ } else if(pattern_result > 1) { /* cleanup from "unset" */
-+ pattern_result = 1;
-+ }
-+
-+ /* mark the packet seen */
-+ skb->cb[0] = 1;
-+
-+ return (pattern_result ^ info->invert);
-+}
-+
-+static struct xt_match layer7_match = {
-+ .name = "layer7",
-+ .match = &match,
-+ .matchsize = sizeof(struct ipt_layer7_info),
-+ .family = AF_INET,
-+ .me = THIS_MODULE
-+};
-+
-+/* taken from drivers/video/modedb.c */
-+static int my_atoi(const char *s)
-+{
-+ int val = 0;
-+
-+ for (;; s++) {
-+ switch (*s) {
-+ case '0'...'9':
-+ val = 10*val+(*s-'0');
-+ break;
-+ default:
-+ return val;
-+ }
-+ }
-+}
-+
-+/* write out num_packets to userland. */
-+static int layer7_read_proc(char* page, char ** start, off_t off, int count,
-+ int* eof, void * data)
-+{
-+ if(num_packets > 99 && net_ratelimit())
-+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
-+
-+ page[0] = num_packets/10 + '0';
-+ page[1] = num_packets%10 + '0';
-+ page[2] = '\n';
-+ page[3] = '\0';
-+
-+ *eof=1;
-+
-+ return 3;
-+}
-+
-+/* Read in num_packets from userland */
-+static int layer7_write_proc(struct file* file, const char* buffer,
-+ unsigned long count, void *data)
-+{
-+ char * foo = kmalloc(count, GFP_ATOMIC);
-+
-+ if(!foo){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n");
-+ return count;
-+ }
-+
-+ if(copy_from_user(foo, buffer, count)) {
-+ return -EFAULT;
-+ }
-+
-+
-+ num_packets = my_atoi(foo);
-+ kfree (foo);
-+
-+ /* This has an arbitrary limit to make the math easier. I'm lazy.
-+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
-+ if(num_packets > 99) {
-+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
-+ num_packets = 99;
-+ } else if(num_packets < 1) {
-+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
-+ num_packets = 1;
-+ }
-+
-+ return count;
-+}
-+
-+/* register the proc file */
-+static void layer7_init_proc(void)
-+{
-+ struct proc_dir_entry* entry;
-+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+ entry->read_proc = layer7_read_proc;
-+ entry->write_proc = layer7_write_proc;
-+}
-+
-+static void layer7_cleanup_proc(void)
-+{
-+ remove_proc_entry("layer7_numpackets", proc_net);
-+}
-+
-+static int __init ipt_layer7_init(void)
-+{
-+ need_conntrack();
-+
-+ layer7_init_proc();
-+ if(maxdatalen < 1) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
-+ maxdatalen = 1;
-+ }
-+ /* This is not a hard limit. It's just here to prevent people from
-+ bringing their slow machines to a grinding halt. */
-+ else if(maxdatalen > 65536) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
-+ maxdatalen = 65536;
-+ }
-+ return xt_register_match(&layer7_match);
-+}
-+
-+static void __exit ipt_layer7_fini(void)
-+{
-+ layer7_cleanup_proc();
-+ xt_unregister_match(&layer7_match);
-+}
-+
-+module_init(ipt_layer7_init);
-+module_exit(ipt_layer7_fini);
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig
-===================================================================
---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Kconfig 2007-07-02 02:16:21.857539250 +0200
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig 2007-07-02 03:43:29.324235500 +0200
-@@ -63,6 +63,24 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config IP_NF_MATCH_LAYER7
-+ tristate "Layer 7 match support (EXPERIMENTAL)"
-+ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
-+ help
-+ Say Y if you want to be able to classify connections (and their
-+ packets) based on regular expression matching of their application
-+ layer data. This is one way to classify applications such as
-+ peer-to-peer filesharing systems that do not always use the same
-+ port.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
-+config IP_NF_MATCH_LAYER7_DEBUG
-+ bool "Layer 7 debugging output"
-+ depends on IP_NF_MATCH_LAYER7
-+ help
-+ Say Y to get lots of debugging output.
-+
- config IP_NF_MATCH_TOS
- tristate "TOS match support"
- depends on IP_NF_IPTABLES
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/Makefile
-===================================================================
---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Makefile 2007-07-02 02:16:21.865539750 +0200
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/Makefile 2007-07-02 03:43:29.336236250 +0200
-@@ -50,6 +50,8 @@
- obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
- obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
-
-+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
-+
- # targets
- obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
- obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 02:35:33.797531000 +0200
-@@ -0,0 +1,1197 @@
-+/*
-+ * regcomp and regexec -- regsub and regerror are elsewhere
-+ * @(#)regexp.c 1.3 of 18 April 87
-+ *
-+ * Copyright (c) 1986 by University of Toronto.
-+ * Written by Henry Spencer. Not derived from licensed software.
-+ *
-+ * Permission is granted to anyone to use this software for any
-+ * purpose on any computer system, and to redistribute it freely,
-+ * subject to the following restrictions:
-+ *
-+ * 1. The author is not responsible for the consequences of use of
-+ * this software, no matter how awful, even if they arise
-+ * from defects in it.
-+ *
-+ * 2. The origin of this software must not be misrepresented, either
-+ * by explicit claim or by omission.
-+ *
-+ * 3. Altered versions must be plainly marked as such, and must not
-+ * be misrepresented as being the original software.
-+ *
-+ * Beware that some of this code is subtly aware of the way operator
-+ * precedence is structured in regular expressions. Serious changes in
-+ * regular-expression syntax might require a total rethink.
-+ *
-+ * This code was modified by Ethan Sommer to work within the kernel
-+ * (it now uses kmalloc etc..)
-+ *
-+ * Modified slightly by Matthew Strait to use more modern C.
-+ */
-+
-+#include "regexp.h"
-+#include "regmagic.h"
-+
-+/* added by ethan and matt. Lets it work in both kernel and user space.
-+(So iptables can use it, for instance.) Yea, it goes both ways... */
-+#if __KERNEL__
-+ #define malloc(foo) kmalloc(foo,GFP_ATOMIC)
-+#else
-+ #define printk(format,args...) printf(format,##args)
-+#endif
-+
-+void regerror(char * s)
-+{
-+ printk("<3>Regexp: %s\n", s);
-+ /* NOTREACHED */
-+}
-+
-+/*
-+ * The "internal use only" fields in regexp.h are present to pass info from
-+ * compile to execute that permits the execute phase to run lots faster on
-+ * simple cases. They are:
-+ *
-+ * regstart char that must begin a match; '\0' if none obvious
-+ * reganch is the match anchored (at beginning-of-line only)?
-+ * regmust string (pointer into program) that match must include, or NULL
-+ * regmlen length of regmust string
-+ *
-+ * Regstart and reganch permit very fast decisions on suitable starting points
-+ * for a match, cutting down the work a lot. Regmust permits fast rejection
-+ * of lines that cannot possibly match. The regmust tests are costly enough
-+ * that regcomp() supplies a regmust only if the r.e. contains something
-+ * potentially expensive (at present, the only such thing detected is * or +
-+ * at the start of the r.e., which can involve a lot of backup). Regmlen is
-+ * supplied because the test in regexec() needs it and regcomp() is computing
-+ * it anyway.
-+ */
-+
-+/*
-+ * Structure for regexp "program". This is essentially a linear encoding
-+ * of a nondeterministic finite-state machine (aka syntax charts or
-+ * "railroad normal form" in parsing technology). Each node is an opcode
-+ * plus a "next" pointer, possibly plus an operand. "Next" pointers of
-+ * all nodes except BRANCH implement concatenation; a "next" pointer with
-+ * a BRANCH on both ends of it is connecting two alternatives. (Here we
-+ * have one of the subtle syntax dependencies: an individual BRANCH (as
-+ * opposed to a collection of them) is never concatenated with anything
-+ * because of operator precedence.) The operand of some types of node is
-+ * a literal string; for others, it is a node leading into a sub-FSM. In
-+ * particular, the operand of a BRANCH node is the first node of the branch.
-+ * (NB this is *not* a tree structure: the tail of the branch connects
-+ * to the thing following the set of BRANCHes.) The opcodes are:
-+ */
-+
-+/* definition number opnd? meaning */
-+#define END 0 /* no End of program. */
-+#define BOL 1 /* no Match "" at beginning of line. */
-+#define EOL 2 /* no Match "" at end of line. */
-+#define ANY 3 /* no Match any one character. */
-+#define ANYOF 4 /* str Match any character in this string. */
-+#define ANYBUT 5 /* str Match any character not in this string. */
-+#define BRANCH 6 /* node Match this alternative, or the next... */
-+#define BACK 7 /* no Match "", "next" ptr points backward. */
-+#define EXACTLY 8 /* str Match this string. */
-+#define NOTHING 9 /* no Match empty string. */
-+#define STAR 10 /* node Match this (simple) thing 0 or more times. */
-+#define PLUS 11 /* node Match this (simple) thing 1 or more times. */
-+#define OPEN 20 /* no Mark this point in input as start of #n. */
-+ /* OPEN+1 is number 1, etc. */
-+#define CLOSE 30 /* no Analogous to OPEN. */
-+
-+/*
-+ * Opcode notes:
-+ *
-+ * BRANCH The set of branches constituting a single choice are hooked
-+ * together with their "next" pointers, since precedence prevents
-+ * anything being concatenated to any individual branch. The
-+ * "next" pointer of the last BRANCH in a choice points to the
-+ * thing following the whole choice. This is also where the
-+ * final "next" pointer of each individual branch points; each
-+ * branch starts with the operand node of a BRANCH node.
-+ *
-+ * BACK Normal "next" pointers all implicitly point forward; BACK
-+ * exists to make loop structures possible.
-+ *
-+ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular
-+ * BRANCH structures using BACK. Simple cases (one character
-+ * per match) are implemented with STAR and PLUS for speed
-+ * and to minimize recursive plunges.
-+ *
-+ * OPEN,CLOSE ...are numbered at compile time.
-+ */
-+
-+/*
-+ * A node is one char of opcode followed by two chars of "next" pointer.
-+ * "Next" pointers are stored as two 8-bit pieces, high order first. The
-+ * value is a positive offset from the opcode of the node containing it.
-+ * An operand, if any, simply follows the node. (Note that much of the
-+ * code generation knows about this implicit relationship.)
-+ *
-+ * Using two bytes for the "next" pointer is vast overkill for most things,
-+ * but allows patterns to get big without disasters.
-+ */
-+#define OP(p) (*(p))
-+#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377))
-+#define OPERAND(p) ((p) + 3)
-+
-+/*
-+ * See regmagic.h for one further detail of program structure.
-+ */
-+
-+
-+/*
-+ * Utility definitions.
-+ */
-+#ifndef CHARBITS
-+#define UCHARAT(p) ((int)*(unsigned char *)(p))
-+#else
-+#define UCHARAT(p) ((int)*(p)&CHARBITS)
-+#endif
-+
-+#define FAIL(m) { regerror(m); return(NULL); }
-+#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?')
-+#define META "^$.[()|?+*\\"
-+
-+/*
-+ * Flags to be passed up and down.
-+ */
-+#define HASWIDTH 01 /* Known never to match null string. */
-+#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */
-+#define SPSTART 04 /* Starts with * or +. */
-+#define WORST 0 /* Worst case. */
-+
-+/*
-+ * Global work variables for regcomp().
-+ */
-+struct match_globals {
-+char *reginput; /* String-input pointer. */
-+char *regbol; /* Beginning of input, for ^ check. */
-+char **regstartp; /* Pointer to startp array. */
-+char **regendp; /* Ditto for endp. */
-+char *regparse; /* Input-scan pointer. */
-+int regnpar; /* () count. */
-+char regdummy;
-+char *regcode; /* Code-emit pointer; ®dummy = don't. */
-+long regsize; /* Code size. */
-+};
-+
-+/*
-+ * Forward declarations for regcomp()'s friends.
-+ */
-+#ifndef STATIC
-+#define STATIC static
-+#endif
-+STATIC char *reg(struct match_globals *g, int paren,int *flagp);
-+STATIC char *regbranch(struct match_globals *g, int *flagp);
-+STATIC char *regpiece(struct match_globals *g, int *flagp);
-+STATIC char *regatom(struct match_globals *g, int *flagp);
-+STATIC char *regnode(struct match_globals *g, char op);
-+STATIC char *regnext(struct match_globals *g, char *p);
-+STATIC void regc(struct match_globals *g, char b);
-+STATIC void reginsert(struct match_globals *g, char op, char *opnd);
-+STATIC void regtail(struct match_globals *g, char *p, char *val);
-+STATIC void regoptail(struct match_globals *g, char *p, char *val);
-+
-+
-+__kernel_size_t my_strcspn(const char *s1,const char *s2)
-+{
-+ char *scan1;
-+ char *scan2;
-+ int count;
-+
-+ count = 0;
-+ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) {
-+ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */
-+ if (*scan1 == *scan2++)
-+ return(count);
-+ count++;
-+ }
-+ return(count);
-+}
-+
-+/*
-+ - regcomp - compile a regular expression into internal code
-+ *
-+ * We can't allocate space until we know how big the compiled form will be,
-+ * but we can't compile it (and thus know how big it is) until we've got a
-+ * place to put the code. So we cheat: we compile it twice, once with code
-+ * generation turned off and size counting turned on, and once "for real".
-+ * This also means that we don't allocate space until we are sure that the
-+ * thing really will compile successfully, and we never have to move the
-+ * code and thus invalidate pointers into it. (Note that it has to be in
-+ * one piece because free() must be able to free it all.)
-+ *
-+ * Beware that the optimization-preparation code in here knows about some
-+ * of the structure of the compiled regexp.
-+ */
-+regexp *
-+regcomp(char *exp,int *patternsize)
-+{
-+ register regexp *r;
-+ register char *scan;
-+ register char *longest;
-+ register int len;
-+ int flags;
-+ struct match_globals g;
-+
-+ /* commented out by ethan
-+ extern char *malloc();
-+ */
-+
-+ if (exp == NULL)
-+ FAIL("NULL argument");
-+
-+ /* First pass: determine size, legality. */
-+ g.regparse = exp;
-+ g.regnpar = 1;
-+ g.regsize = 0L;
-+ g.regcode = &g.regdummy;
-+ regc(&g, MAGIC);
-+ if (reg(&g, 0, &flags) == NULL)
-+ return(NULL);
-+
-+ /* Small enough for pointer-storage convention? */
-+ if (g.regsize >= 32767L) /* Probably could be 65535L. */
-+ FAIL("regexp too big");
-+
-+ /* Allocate space. */
-+ *patternsize=sizeof(regexp) + (unsigned)g.regsize;
-+ r = (regexp *)malloc(sizeof(regexp) + (unsigned)g.regsize);
-+ if (r == NULL)
-+ FAIL("out of space");
-+
-+ /* Second pass: emit code. */
-+ g.regparse = exp;
-+ g.regnpar = 1;
-+ g.regcode = r->program;
-+ regc(&g, MAGIC);
-+ if (reg(&g, 0, &flags) == NULL)
-+ return(NULL);
-+
-+ /* Dig out information for optimizations. */
-+ r->regstart = '\0'; /* Worst-case defaults. */
-+ r->reganch = 0;
-+ r->regmust = NULL;
-+ r->regmlen = 0;
-+ scan = r->program+1; /* First BRANCH. */
-+ if (OP(regnext(&g, scan)) == END) { /* Only one top-level choice. */
-+ scan = OPERAND(scan);
-+
-+ /* Starting-point info. */
-+ if (OP(scan) == EXACTLY)
-+ r->regstart = *OPERAND(scan);
-+ else if (OP(scan) == BOL)
-+ r->reganch++;
-+
-+ /*
-+ * If there's something expensive in the r.e., find the
-+ * longest literal string that must appear and make it the
-+ * regmust. Resolve ties in favor of later strings, since
-+ * the regstart check works with the beginning of the r.e.
-+ * and avoiding duplication strengthens checking. Not a
-+ * strong reason, but sufficient in the absence of others.
-+ */
-+ if (flags&SPSTART) {
-+ longest = NULL;
-+ len = 0;
-+ for (; scan != NULL; scan = regnext(&g, scan))
-+ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) {
-+ longest = OPERAND(scan);
-+ len = strlen(OPERAND(scan));
-+ }
-+ r->regmust = longest;
-+ r->regmlen = len;
-+ }
-+ }
-+
-+ return(r);
-+}
-+
-+/*
-+ - reg - regular expression, i.e. main body or parenthesized thing
-+ *
-+ * Caller must absorb opening parenthesis.
-+ *
-+ * Combining parenthesis handling with the base level of regular expression
-+ * is a trifle forced, but the need to tie the tails of the branches to what
-+ * follows makes it hard to avoid.
-+ */
-+static char *
-+reg(struct match_globals *g, int paren, int *flagp /* Parenthesized? */ )
-+{
-+ register char *ret;
-+ register char *br;
-+ register char *ender;
-+ register int parno = 0; /* 0 makes gcc happy */
-+ int flags;
-+
-+ *flagp = HASWIDTH; /* Tentatively. */
-+
-+ /* Make an OPEN node, if parenthesized. */
-+ if (paren) {
-+ if (g->regnpar >= NSUBEXP)
-+ FAIL("too many ()");
-+ parno = g->regnpar;
-+ g->regnpar++;
-+ ret = regnode(g, OPEN+parno);
-+ } else
-+ ret = NULL;
-+
-+ /* Pick up the branches, linking them together. */
-+ br = regbranch(g, &flags);
-+ if (br == NULL)
-+ return(NULL);
-+ if (ret != NULL)
-+ regtail(g, ret, br); /* OPEN -> first. */
-+ else
-+ ret = br;
-+ if (!(flags&HASWIDTH))
-+ *flagp &= ~HASWIDTH;
-+ *flagp |= flags&SPSTART;
-+ while (*g->regparse == '|') {
-+ g->regparse++;
-+ br = regbranch(g, &flags);
-+ if (br == NULL)
-+ return(NULL);
-+ regtail(g, ret, br); /* BRANCH -> BRANCH. */
-+ if (!(flags&HASWIDTH))
-+ *flagp &= ~HASWIDTH;
-+ *flagp |= flags&SPSTART;
-+ }
-+
-+ /* Make a closing node, and hook it on the end. */
-+ ender = regnode(g, (paren) ? CLOSE+parno : END);
-+ regtail(g, ret, ender);
-+
-+ /* Hook the tails of the branches to the closing node. */
-+ for (br = ret; br != NULL; br = regnext(g, br))
-+ regoptail(g, br, ender);
-+
-+ /* Check for proper termination. */
-+ if (paren && *g->regparse++ != ')') {
-+ FAIL("unmatched ()");
-+ } else if (!paren && *g->regparse != '\0') {
-+ if (*g->regparse == ')') {
-+ FAIL("unmatched ()");
-+ } else
-+ FAIL("junk on end"); /* "Can't happen". */
-+ /* NOTREACHED */
-+ }
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regbranch - one alternative of an | operator
-+ *
-+ * Implements the concatenation operator.
-+ */
-+static char *
-+regbranch(struct match_globals *g, int *flagp)
-+{
-+ register char *ret;
-+ register char *chain;
-+ register char *latest;
-+ int flags;
-+
-+ *flagp = WORST; /* Tentatively. */
-+
-+ ret = regnode(g, BRANCH);
-+ chain = NULL;
-+ while (*g->regparse != '\0' && *g->regparse != '|' && *g->regparse != ')') {
-+ latest = regpiece(g, &flags);
-+ if (latest == NULL)
-+ return(NULL);
-+ *flagp |= flags&HASWIDTH;
-+ if (chain == NULL) /* First piece. */
-+ *flagp |= flags&SPSTART;
-+ else
-+ regtail(g, chain, latest);
-+ chain = latest;
-+ }
-+ if (chain == NULL) /* Loop ran zero times. */
-+ (void) regnode(g, NOTHING);
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regpiece - something followed by possible [*+?]
-+ *
-+ * Note that the branching code sequences used for ? and the general cases
-+ * of * and + are somewhat optimized: they use the same NOTHING node as
-+ * both the endmarker for their branch list and the body of the last branch.
-+ * It might seem that this node could be dispensed with entirely, but the
-+ * endmarker role is not redundant.
-+ */
-+static char *
-+regpiece(struct match_globals *g, int *flagp)
-+{
-+ register char *ret;
-+ register char op;
-+ register char *next;
-+ int flags;
-+
-+ ret = regatom(g, &flags);
-+ if (ret == NULL)
-+ return(NULL);
-+
-+ op = *g->regparse;
-+ if (!ISMULT(op)) {
-+ *flagp = flags;
-+ return(ret);
-+ }
-+
-+ if (!(flags&HASWIDTH) && op != '?')
-+ FAIL("*+ operand could be empty");
-+ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH);
-+
-+ if (op == '*' && (flags&SIMPLE))
-+ reginsert(g, STAR, ret);
-+ else if (op == '*') {
-+ /* Emit x* as (x&|), where & means "self". */
-+ reginsert(g, BRANCH, ret); /* Either x */
-+ regoptail(g, ret, regnode(g, BACK)); /* and loop */
-+ regoptail(g, ret, ret); /* back */
-+ regtail(g, ret, regnode(g, BRANCH)); /* or */
-+ regtail(g, ret, regnode(g, NOTHING)); /* null. */
-+ } else if (op == '+' && (flags&SIMPLE))
-+ reginsert(g, PLUS, ret);
-+ else if (op == '+') {
-+ /* Emit x+ as x(&|), where & means "self". */
-+ next = regnode(g, BRANCH); /* Either */
-+ regtail(g, ret, next);
-+ regtail(g, regnode(g, BACK), ret); /* loop back */
-+ regtail(g, next, regnode(g, BRANCH)); /* or */
-+ regtail(g, ret, regnode(g, NOTHING)); /* null. */
-+ } else if (op == '?') {
-+ /* Emit x? as (x|) */
-+ reginsert(g, BRANCH, ret); /* Either x */
-+ regtail(g, ret, regnode(g, BRANCH)); /* or */
-+ next = regnode(g, NOTHING); /* null. */
-+ regtail(g, ret, next);
-+ regoptail(g, ret, next);
-+ }
-+ g->regparse++;
-+ if (ISMULT(*g->regparse))
-+ FAIL("nested *?+");
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regatom - the lowest level
-+ *
-+ * Optimization: gobbles an entire sequence of ordinary characters so that
-+ * it can turn them into a single node, which is smaller to store and
-+ * faster to run. Backslashed characters are exceptions, each becoming a
-+ * separate node; the code is simpler that way and it's not worth fixing.
-+ */
-+static char *
-+regatom(struct match_globals *g, int *flagp)
-+{
-+ register char *ret;
-+ int flags;
-+
-+ *flagp = WORST; /* Tentatively. */
-+
-+ switch (*g->regparse++) {
-+ case '^':
-+ ret = regnode(g, BOL);
-+ break;
-+ case '$':
-+ ret = regnode(g, EOL);
-+ break;
-+ case '.':
-+ ret = regnode(g, ANY);
-+ *flagp |= HASWIDTH|SIMPLE;
-+ break;
-+ case '[': {
-+ register int class;
-+ register int classend;
-+
-+ if (*g->regparse == '^') { /* Complement of range. */
-+ ret = regnode(g, ANYBUT);
-+ g->regparse++;
-+ } else
-+ ret = regnode(g, ANYOF);
-+ if (*g->regparse == ']' || *g->regparse == '-')
-+ regc(g, *g->regparse++);
-+ while (*g->regparse != '\0' && *g->regparse != ']') {
-+ if (*g->regparse == '-') {
-+ g->regparse++;
-+ if (*g->regparse == ']' || *g->regparse == '\0')
-+ regc(g, '-');
-+ else {
-+ class = UCHARAT(g->regparse-2)+1;
-+ classend = UCHARAT(g->regparse);
-+ if (class > classend+1)
-+ FAIL("invalid [] range");
-+ for (; class <= classend; class++)
-+ regc(g, class);
-+ g->regparse++;
-+ }
-+ } else
-+ regc(g, *g->regparse++);
-+ }
-+ regc(g, '\0');
-+ if (*g->regparse != ']')
-+ FAIL("unmatched []");
-+ g->regparse++;
-+ *flagp |= HASWIDTH|SIMPLE;
-+ }
-+ break;
-+ case '(':
-+ ret = reg(g, 1, &flags);
-+ if (ret == NULL)
-+ return(NULL);
-+ *flagp |= flags&(HASWIDTH|SPSTART);
-+ break;
-+ case '\0':
-+ case '|':
-+ case ')':
-+ FAIL("internal urp"); /* Supposed to be caught earlier. */
-+ break;
-+ case '?':
-+ case '+':
-+ case '*':
-+ FAIL("?+* follows nothing");
-+ break;
-+ case '\\':
-+ if (*g->regparse == '\0')
-+ FAIL("trailing \\");
-+ ret = regnode(g, EXACTLY);
-+ regc(g, *g->regparse++);
-+ regc(g, '\0');
-+ *flagp |= HASWIDTH|SIMPLE;
-+ break;
-+ default: {
-+ register int len;
-+ register char ender;
-+
-+ g->regparse--;
-+ len = my_strcspn((const char *)g->regparse, (const char *)META);
-+ if (len <= 0)
-+ FAIL("internal disaster");
-+ ender = *(g->regparse+len);
-+ if (len > 1 && ISMULT(ender))
-+ len--; /* Back off clear of ?+* operand. */
-+ *flagp |= HASWIDTH;
-+ if (len == 1)
-+ *flagp |= SIMPLE;
-+ ret = regnode(g, EXACTLY);
-+ while (len > 0) {
-+ regc(g, *g->regparse++);
-+ len--;
-+ }
-+ regc(g, '\0');
-+ }
-+ break;
-+ }
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regnode - emit a node
-+ */
-+static char * /* Location. */
-+regnode(struct match_globals *g, char op)
-+{
-+ register char *ret;
-+ register char *ptr;
-+
-+ ret = g->regcode;
-+ if (ret == &g->regdummy) {
-+ g->regsize += 3;
-+ return(ret);
-+ }
-+
-+ ptr = ret;
-+ *ptr++ = op;
-+ *ptr++ = '\0'; /* Null "next" pointer. */
-+ *ptr++ = '\0';
-+ g->regcode = ptr;
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regc - emit (if appropriate) a byte of code
-+ */
-+static void
-+regc(struct match_globals *g, char b)
-+{
-+ if (g->regcode != &g->regdummy)
-+ *g->regcode++ = b;
-+ else
-+ g->regsize++;
-+}
-+
-+/*
-+ - reginsert - insert an operator in front of already-emitted operand
-+ *
-+ * Means relocating the operand.
-+ */
-+static void
-+reginsert(struct match_globals *g, char op, char* opnd)
-+{
-+ register char *src;
-+ register char *dst;
-+ register char *place;
-+
-+ if (g->regcode == &g->regdummy) {
-+ g->regsize += 3;
-+ return;
-+ }
-+
-+ src = g->regcode;
-+ g->regcode += 3;
-+ dst = g->regcode;
-+ while (src > opnd)
-+ *--dst = *--src;
-+
-+ place = opnd; /* Op node, where operand used to be. */
-+ *place++ = op;
-+ *place++ = '\0';
-+ *place++ = '\0';
-+}
-+
-+/*
-+ - regtail - set the next-pointer at the end of a node chain
-+ */
-+static void
-+regtail(struct match_globals *g, char *p, char *val)
-+{
-+ register char *scan;
-+ register char *temp;
-+ register int offset;
-+
-+ if (p == &g->regdummy)
-+ return;
-+
-+ /* Find last node. */
-+ scan = p;
-+ for (;;) {
-+ temp = regnext(g, scan);
-+ if (temp == NULL)
-+ break;
-+ scan = temp;
-+ }
-+
-+ if (OP(scan) == BACK)
-+ offset = scan - val;
-+ else
-+ offset = val - scan;
-+ *(scan+1) = (offset>>8)&0377;
-+ *(scan+2) = offset&0377;
-+}
-+
-+/*
-+ - regoptail - regtail on operand of first argument; nop if operandless
-+ */
-+static void
-+regoptail(struct match_globals *g, char *p, char *val)
-+{
-+ /* "Operandless" and "op != BRANCH" are synonymous in practice. */
-+ if (p == NULL || p == &g->regdummy || OP(p) != BRANCH)
-+ return;
-+ regtail(g, OPERAND(p), val);
-+}
-+
-+/*
-+ * regexec and friends
-+ */
-+
-+
-+/*
-+ * Forwards.
-+ */
-+STATIC int regtry(struct match_globals *g, regexp *prog, char *string);
-+STATIC int regmatch(struct match_globals *g, char *prog);
-+STATIC int regrepeat(struct match_globals *g, char *p);
-+
-+#ifdef DEBUG
-+int regnarrate = 0;
-+void regdump();
-+STATIC char *regprop(char *op);
-+#endif
-+
-+/*
-+ - regexec - match a regexp against a string
-+ */
-+int
-+regexec(regexp *prog, char *string)
-+{
-+ register char *s;
-+ struct match_globals g;
-+
-+ /* Be paranoid... */
-+ if (prog == NULL || string == NULL) {
-+ printk("<3>Regexp: NULL parameter\n");
-+ return(0);
-+ }
-+
-+ /* Check validity of program. */
-+ if (UCHARAT(prog->program) != MAGIC) {
-+ printk("<3>Regexp: corrupted program\n");
-+ return(0);
-+ }
-+
-+ /* If there is a "must appear" string, look for it. */
-+ if (prog->regmust != NULL) {
-+ s = string;
-+ while ((s = strchr(s, prog->regmust[0])) != NULL) {
-+ if (strncmp(s, prog->regmust, prog->regmlen) == 0)
-+ break; /* Found it. */
-+ s++;
-+ }
-+ if (s == NULL) /* Not present. */
-+ return(0);
-+ }
-+
-+ /* Mark beginning of line for ^ . */
-+ g.regbol = string;
-+
-+ /* Simplest case: anchored match need be tried only once. */
-+ if (prog->reganch)
-+ return(regtry(&g, prog, string));
-+
-+ /* Messy cases: unanchored match. */
-+ s = string;
-+ if (prog->regstart != '\0')
-+ /* We know what char it must start with. */
-+ while ((s = strchr(s, prog->regstart)) != NULL) {
-+ if (regtry(&g, prog, s))
-+ return(1);
-+ s++;
-+ }
-+ else
-+ /* We don't -- general case. */
-+ do {
-+ if (regtry(&g, prog, s))
-+ return(1);
-+ } while (*s++ != '\0');
-+
-+ /* Failure. */
-+ return(0);
-+}
-+
-+/*
-+ - regtry - try match at specific point
-+ */
-+static int /* 0 failure, 1 success */
-+regtry(struct match_globals *g, regexp *prog, char *string)
-+{
-+ register int i;
-+ register char **sp;
-+ register char **ep;
-+
-+ g->reginput = string;
-+ g->regstartp = prog->startp;
-+ g->regendp = prog->endp;
-+
-+ sp = prog->startp;
-+ ep = prog->endp;
-+ for (i = NSUBEXP; i > 0; i--) {
-+ *sp++ = NULL;
-+ *ep++ = NULL;
-+ }
-+ if (regmatch(g, prog->program + 1)) {
-+ prog->startp[0] = string;
-+ prog->endp[0] = g->reginput;
-+ return(1);
-+ } else
-+ return(0);
-+}
-+
-+/*
-+ - regmatch - main matching routine
-+ *
-+ * Conceptually the strategy is simple: check to see whether the current
-+ * node matches, call self recursively to see whether the rest matches,
-+ * and then act accordingly. In practice we make some effort to avoid
-+ * recursion, in particular by going through "ordinary" nodes (that don't
-+ * need to know whether the rest of the match failed) by a loop instead of
-+ * by recursion.
-+ */
-+static int /* 0 failure, 1 success */
-+regmatch(struct match_globals *g, char *prog)
-+{
-+ register char *scan = prog; /* Current node. */
-+ char *next; /* Next node. */
-+
-+#ifdef DEBUG
-+ if (scan != NULL && regnarrate)
-+ fprintf(stderr, "%s(\n", regprop(scan));
-+#endif
-+ while (scan != NULL) {
-+#ifdef DEBUG
-+ if (regnarrate)
-+ fprintf(stderr, "%s...\n", regprop(scan));
-+#endif
-+ next = regnext(g, scan);
-+
-+ switch (OP(scan)) {
-+ case BOL:
-+ if (g->reginput != g->regbol)
-+ return(0);
-+ break;
-+ case EOL:
-+ if (*g->reginput != '\0')
-+ return(0);
-+ break;
-+ case ANY:
-+ if (*g->reginput == '\0')
-+ return(0);
-+ g->reginput++;
-+ break;
-+ case EXACTLY: {
-+ register int len;
-+ register char *opnd;
-+
-+ opnd = OPERAND(scan);
-+ /* Inline the first character, for speed. */
-+ if (*opnd != *g->reginput)
-+ return(0);
-+ len = strlen(opnd);
-+ if (len > 1 && strncmp(opnd, g->reginput, len) != 0)
-+ return(0);
-+ g->reginput += len;
-+ }
-+ break;
-+ case ANYOF:
-+ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) == NULL)
-+ return(0);
-+ g->reginput++;
-+ break;
-+ case ANYBUT:
-+ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) != NULL)
-+ return(0);
-+ g->reginput++;
-+ break;
-+ case NOTHING:
-+ case BACK:
-+ break;
-+ case OPEN+1:
-+ case OPEN+2:
-+ case OPEN+3:
-+ case OPEN+4:
-+ case OPEN+5:
-+ case OPEN+6:
-+ case OPEN+7:
-+ case OPEN+8:
-+ case OPEN+9: {
-+ register int no;
-+ register char *save;
-+
-+ no = OP(scan) - OPEN;
-+ save = g->reginput;
-+
-+ if (regmatch(g, next)) {
-+ /*
-+ * Don't set startp if some later
-+ * invocation of the same parentheses
-+ * already has.
-+ */
-+ if (g->regstartp[no] == NULL)
-+ g->regstartp[no] = save;
-+ return(1);
-+ } else
-+ return(0);
-+ }
-+ break;
-+ case CLOSE+1:
-+ case CLOSE+2:
-+ case CLOSE+3:
-+ case CLOSE+4:
-+ case CLOSE+5:
-+ case CLOSE+6:
-+ case CLOSE+7:
-+ case CLOSE+8:
-+ case CLOSE+9:
-+ {
-+ register int no;
-+ register char *save;
-+
-+ no = OP(scan) - CLOSE;
-+ save = g->reginput;
-+
-+ if (regmatch(g, next)) {
-+ /*
-+ * Don't set endp if some later
-+ * invocation of the same parentheses
-+ * already has.
-+ */
-+ if (g->regendp[no] == NULL)
-+ g->regendp[no] = save;
-+ return(1);
-+ } else
-+ return(0);
-+ }
-+ break;
-+ case BRANCH: {
-+ register char *save;
-+
-+ if (OP(next) != BRANCH) /* No choice. */
-+ next = OPERAND(scan); /* Avoid recursion. */
-+ else {
-+ do {
-+ save = g->reginput;
-+ if (regmatch(g, OPERAND(scan)))
-+ return(1);
-+ g->reginput = save;
-+ scan = regnext(g, scan);
-+ } while (scan != NULL && OP(scan) == BRANCH);
-+ return(0);
-+ /* NOTREACHED */
-+ }
-+ }
-+ break;
-+ case STAR:
-+ case PLUS: {
-+ register char nextch;
-+ register int no;
-+ register char *save;
-+ register int min;
-+
-+ /*
-+ * Lookahead to avoid useless match attempts
-+ * when we know what character comes next.
-+ */
-+ nextch = '\0';
-+ if (OP(next) == EXACTLY)
-+ nextch = *OPERAND(next);
-+ min = (OP(scan) == STAR) ? 0 : 1;
-+ save = g->reginput;
-+ no = regrepeat(g, OPERAND(scan));
-+ while (no >= min) {
-+ /* If it could work, try it. */
-+ if (nextch == '\0' || *g->reginput == nextch)
-+ if (regmatch(g, next))
-+ return(1);
-+ /* Couldn't or didn't -- back up. */
-+ no--;
-+ g->reginput = save + no;
-+ }
-+ return(0);
-+ }
-+ break;
-+ case END:
-+ return(1); /* Success! */
-+ break;
-+ default:
-+ printk("<3>Regexp: memory corruption\n");
-+ return(0);
-+ break;
-+ }
-+
-+ scan = next;
-+ }
-+
-+ /*
-+ * We get here only if there's trouble -- normally "case END" is
-+ * the terminating point.
-+ */
-+ printk("<3>Regexp: corrupted pointers\n");
-+ return(0);
-+}
-+
-+/*
-+ - regrepeat - repeatedly match something simple, report how many
-+ */
-+static int
-+regrepeat(struct match_globals *g, char *p)
-+{
-+ register int count = 0;
-+ register char *scan;
-+ register char *opnd;
-+
-+ scan = g->reginput;
-+ opnd = OPERAND(p);
-+ switch (OP(p)) {
-+ case ANY:
-+ count = strlen(scan);
-+ scan += count;
-+ break;
-+ case EXACTLY:
-+ while (*opnd == *scan) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ case ANYOF:
-+ while (*scan != '\0' && strchr(opnd, *scan) != NULL) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ case ANYBUT:
-+ while (*scan != '\0' && strchr(opnd, *scan) == NULL) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ default: /* Oh dear. Called inappropriately. */
-+ printk("<3>Regexp: internal foulup\n");
-+ count = 0; /* Best compromise. */
-+ break;
-+ }
-+ g->reginput = scan;
-+
-+ return(count);
-+}
-+
-+/*
-+ - regnext - dig the "next" pointer out of a node
-+ */
-+static char*
-+regnext(struct match_globals *g, char *p)
-+{
-+ register int offset;
-+
-+ if (p == &g->regdummy)
-+ return(NULL);
-+
-+ offset = NEXT(p);
-+ if (offset == 0)
-+ return(NULL);
-+
-+ if (OP(p) == BACK)
-+ return(p-offset);
-+ else
-+ return(p+offset);
-+}
-+
-+#ifdef DEBUG
-+
-+STATIC char *regprop();
-+
-+/*
-+ - regdump - dump a regexp onto stdout in vaguely comprehensible form
-+ */
-+void
-+regdump(regexp *r)
-+{
-+ register char *s;
-+ register char op = EXACTLY; /* Arbitrary non-END op. */
-+ register char *next;
-+ /* extern char *strchr(); */
-+
-+
-+ s = r->program + 1;
-+ while (op != END) { /* While that wasn't END last time... */
-+ op = OP(s);
-+ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */
-+ next = regnext(s);
-+ if (next == NULL) /* Next ptr. */
-+ printf("(0)");
-+ else
-+ printf("(%d)", (s-r->program)+(next-s));
-+ s += 3;
-+ if (op == ANYOF || op == ANYBUT || op == EXACTLY) {
-+ /* Literal string, where present. */
-+ while (*s != '\0') {
-+ putchar(*s);
-+ s++;
-+ }
-+ s++;
-+ }
-+ putchar('\n');
-+ }
-+
-+ /* Header fields of interest. */
-+ if (r->regstart != '\0')
-+ printf("start `%c' ", r->regstart);
-+ if (r->reganch)
-+ printf("anchored ");
-+ if (r->regmust != NULL)
-+ printf("must have \"%s\"", r->regmust);
-+ printf("\n");
-+}
-+
-+/*
-+ - regprop - printable representation of opcode
-+ */
-+static char *
-+regprop(char *op)
-+{
-+#define BUFLEN 50
-+ register char *p;
-+ static char buf[BUFLEN];
-+
-+ strcpy(buf, ":");
-+
-+ switch (OP(op)) {
-+ case BOL:
-+ p = "BOL";
-+ break;
-+ case EOL:
-+ p = "EOL";
-+ break;
-+ case ANY:
-+ p = "ANY";
-+ break;
-+ case ANYOF:
-+ p = "ANYOF";
-+ break;
-+ case ANYBUT:
-+ p = "ANYBUT";
-+ break;
-+ case BRANCH:
-+ p = "BRANCH";
-+ break;
-+ case EXACTLY:
-+ p = "EXACTLY";
-+ break;
-+ case NOTHING:
-+ p = "NOTHING";
-+ break;
-+ case BACK:
-+ p = "BACK";
-+ break;
-+ case END:
-+ p = "END";
-+ break;
-+ case OPEN+1:
-+ case OPEN+2:
-+ case OPEN+3:
-+ case OPEN+4:
-+ case OPEN+5:
-+ case OPEN+6:
-+ case OPEN+7:
-+ case OPEN+8:
-+ case OPEN+9:
-+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN);
-+ p = NULL;
-+ break;
-+ case CLOSE+1:
-+ case CLOSE+2:
-+ case CLOSE+3:
-+ case CLOSE+4:
-+ case CLOSE+5:
-+ case CLOSE+6:
-+ case CLOSE+7:
-+ case CLOSE+8:
-+ case CLOSE+9:
-+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE);
-+ p = NULL;
-+ break;
-+ case STAR:
-+ p = "STAR";
-+ break;
-+ case PLUS:
-+ p = "PLUS";
-+ break;
-+ default:
-+ printk("<3>Regexp: corrupted opcode\n");
-+ break;
-+ }
-+ if (p != NULL)
-+ strncat(buf, p, BUFLEN-strlen(buf));
-+ return(buf);
-+}
-+#endif
-+
-+
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 02:16:23.677653000 +0200
-@@ -0,0 +1,41 @@
-+/*
-+ * Definitions etc. for regexp(3) routines.
-+ *
-+ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof],
-+ * not the System V one.
-+ */
-+
-+#ifndef REGEXP_H
-+#define REGEXP_H
-+
-+
-+/*
-+http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h ,
-+which contains a version of this library, says:
-+
-+ *
-+ * NSUBEXP must be at least 10, and no greater than 117 or the parser
-+ * will not work properly.
-+ *
-+
-+However, it looks rather like this library is limited to 10. If you think
-+otherwise, let us know.
-+*/
-+
-+#define NSUBEXP 10
-+typedef struct regexp {
-+ char *startp[NSUBEXP];
-+ char *endp[NSUBEXP];
-+ char regstart; /* Internal use only. */
-+ char reganch; /* Internal use only. */
-+ char *regmust; /* Internal use only. */
-+ int regmlen; /* Internal use only. */
-+ char program[1]; /* Unwarranted chumminess with compiler. */
-+} regexp;
-+
-+regexp * regcomp(char *exp, int *patternsize);
-+int regexec(regexp *prog, char *string);
-+void regsub(regexp *prog, char *source, char *dest);
-+void regerror(char *s);
-+
-+#endif
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 02:16:23.701654500 +0200
-@@ -0,0 +1,5 @@
-+/*
-+ * The first byte of the regexp internal "program" is actually this magic
-+ * number; the start node begins in the second byte.
-+ */
-+#define MAGIC 0234
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 02:35:46.074298250 +0200
-@@ -0,0 +1,95 @@
-+/*
-+ * regsub
-+ * @(#)regsub.c 1.3 of 2 April 86
-+ *
-+ * Copyright (c) 1986 by University of Toronto.
-+ * Written by Henry Spencer. Not derived from licensed software.
-+ *
-+ * Permission is granted to anyone to use this software for any
-+ * purpose on any computer system, and to redistribute it freely,
-+ * subject to the following restrictions:
-+ *
-+ * 1. The author is not responsible for the consequences of use of
-+ * this software, no matter how awful, even if they arise
-+ * from defects in it.
-+ *
-+ * 2. The origin of this software must not be misrepresented, either
-+ * by explicit claim or by omission.
-+ *
-+ * 3. Altered versions must be plainly marked as such, and must not
-+ * be misrepresented as being the original software.
-+ *
-+ *
-+ * This code was modified by Ethan Sommer to work within the kernel
-+ * (it now uses kmalloc etc..)
-+ *
-+ */
-+#include "regexp.h"
-+#include "regmagic.h"
-+#include <linux/string.h>
-+
-+
-+#ifndef CHARBITS
-+#define UCHARAT(p) ((int)*(unsigned char *)(p))
-+#else
-+#define UCHARAT(p) ((int)*(p)&CHARBITS)
-+#endif
-+
-+#if 0
-+//void regerror(char * s)
-+//{
-+// printk("regexp(3): %s", s);
-+// /* NOTREACHED */
-+//}
-+#endif
-+
-+/*
-+ - regsub - perform substitutions after a regexp match
-+ */
-+void
-+regsub(regexp * prog, char * source, char * dest)
-+{
-+ register char *src;
-+ register char *dst;
-+ register char c;
-+ register int no;
-+ register int len;
-+
-+ /* Not necessary and gcc doesn't like it -MLS */
-+ /*extern char *strncpy();*/
-+
-+ if (prog == NULL || source == NULL || dest == NULL) {
-+ regerror("NULL parm to regsub");
-+ return;
-+ }
-+ if (UCHARAT(prog->program) != MAGIC) {
-+ regerror("damaged regexp fed to regsub");
-+ return;
-+ }
-+
-+ src = source;
-+ dst = dest;
-+ while ((c = *src++) != '\0') {
-+ if (c == '&')
-+ no = 0;
-+ else if (c == '\\' && '0' <= *src && *src <= '9')
-+ no = *src++ - '0';
-+ else
-+ no = -1;
-+
-+ if (no < 0) { /* Ordinary character. */
-+ if (c == '\\' && (*src == '\\' || *src == '&'))
-+ c = *src++;
-+ *dst++ = c;
-+ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) {
-+ len = prog->endp[no] - prog->startp[no];
-+ (void) strncpy(dst, prog->startp[no], len);
-+ dst += len;
-+ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */
-+ regerror("damaged match string");
-+ return;
-+ }
-+ }
-+ }
-+ *dst++ = '\0';
-+}
-Index: linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h
-===================================================================
---- linux-2.6.22-rc6.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:21.825537250 +0200
-+++ linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:23.749657500 +0200
-@@ -128,6 +128,21 @@
- u_int32_t secmark;
- #endif
-
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ struct {
-+ /*
-+ * e.g. "http". NULL before decision. "unknown" after decision
-+ * if no match.
-+ */
-+ char *app_proto;
-+ /*
-+ * application layer data so far. NULL after match decision.
-+ */
-+ char *app_data;
-+ unsigned int app_data_len;
-+ } layer7;
-+#endif
-+
- /* Storage reserved for other modules: */
- union nf_conntrack_proto proto;
-
-Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.22.18/include/linux/netfilter/xt_layer7.h
===================================================================
---- linux-2.6.22-rc6.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:28.597194750 +0200
-+++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:44.730203000 +0200
-@@ -21,6 +21,7 @@
+--- linux-2.6.22.18.orig/include/linux/netfilter/xt_layer7.h
++++ linux-2.6.22.18/include/linux/netfilter/xt_layer7.h
+@@ -8,6 +8,7 @@ struct xt_layer7_info {
char protocol[MAX_PROTOCOL_LEN];
- char invert:1;
char pattern[MAX_PATTERN_LEN];
-+ char pkt;
+ u_int8_t invert;
++ u_int8_t pkt;
};
- #endif /* _IPT_LAYER7_H */
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ #endif /* _XT_LAYER7_H */
+Index: linux-2.6.22.18/net/netfilter/xt_layer7.c
===================================================================
---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:28.609195500 +0200
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:54.234797000 +0200
-@@ -300,33 +300,34 @@
+--- linux-2.6.22.18.orig/net/netfilter/xt_layer7.c
++++ linux-2.6.22.18/net/netfilter/xt_layer7.c
+@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
}
/* add the new app data to the conntrack. Return number of bytes added. */
-static int add_data(struct nf_conn * master_conntrack,
-- char * app_data, int appdatalen)
+- char * app_data, int appdatalen)
+static int add_datastr(char *target, int offset, char *app_data, int len)
{
int length = 0, i;
- int oldlength = master_conntrack->layer7.app_data_len;
-
-- // This is a fix for a race condition by Deti Fliegl. However, I'm not
-- // clear on whether the race condition exists or whether this really
-- // fixes it. I might just be being dense... Anyway, if it's not really
-- // a fix, all it does is waste a very small amount of time.
+- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
+- clear on whether the race condition exists or whether this really
+- fixes it. I might just be being dense... Anyway, if it's not really
+- a fix, all it does is waste a very small amount of time. */
- if(!master_conntrack->layer7.app_data) return 0;
-+ if(!target) return 0;
++
++ if (!target) return 0;
/* Strip nulls. Make everything lower case (our regex lib doesn't
do case insensitivity). Add it to the end of the current data. */
- i < appdatalen; i++) {
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
if(app_data[i] != '\0') {
+ /* the kernel version of tolower mungs 'upper ascii' */
- master_conntrack->layer7.app_data[length+oldlength] =
+ target[length+offset] =
- /* the kernel version of tolower mungs 'upper ascii' */
- isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
+ isascii(app_data[i])?
+ tolower(app_data[i]) : app_data[i];
length++;
}
}
+ target[length+offset] = '\0';
-+
++
+ return length;
+}
- master_conntrack->layer7.app_data_len = length + oldlength;
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct nf_conn * master_conntrack,
-+ char * app_data, int appdatalen)
++ char * app_data, int appdatalen)
+{
+ int length;
return length;
}
-@@ -343,7 +344,7 @@
+@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
+ const struct xt_layer7_info * info = matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo;
- struct nf_conn *master_conntrack;
- struct nf_conn *conntrack;
+ struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data;
+ unsigned char *app_data, *tmp_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
-@@ -365,8 +366,8 @@
+@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
- if(TOTAL_PACKETS > num_packets ||
- master_conntrack->layer7.app_proto) {
+ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
-+ master_conntrack->layer7.app_proto)) {
-
- pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
++ master_conntrack->layer7.app_proto)) {
-@@ -396,6 +397,23 @@
+ pattern_result = match_no_append(conntrack, master_conntrack,
+ ctinfo, master_ctinfo, info);
+@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+ /* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);
- spin_unlock_bh(&list_lock);
+ if (info->pkt) {
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++
+ kfree(tmp_data);
+ tmp_data = NULL;
++ spin_unlock_bh(&l7_lock);
+
+ return (pattern_result ^ info->invert);
+ }
+
/* On the first packet of a connection, allocate space for app data */
- write_lock(&ct_lock);
- if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ !master_conntrack->layer7.app_data){
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-05-26 20:21:54.586864296 +0200
+Index: linux-2.6.22.18/include/linux/netfilter_ipv4/ipt_ipp2p.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter_ipv4/ipt_ipp2p.h
@@ -0,0 +1,31 @@
+#ifndef __IPT_IPP2P_H
+#define __IPT_IPP2P_H
+#define IPP2P_MUTE (1 << 14)
+#define IPP2P_WASTE (1 << 15)
+#define IPP2P_XDCC (1 << 16)
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c 2007-05-26 20:21:54.587864144 +0200
+Index: linux-2.6.22.18/net/ipv4/netfilter/ipt_ipp2p.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/ipv4/netfilter/ipt_ipp2p.c
@@ -0,0 +1,882 @@
+#if defined(MODVERSIONS)
+#include <linux/modversions.h>
+module_exit(fini);
+
+
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-05-26 20:17:47.626407992 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:21:54.587864144 +0200
-@@ -81,6 +81,12 @@
- help
- Say Y to get lots of debugging output.
+Index: linux-2.6.22.18/net/ipv4/netfilter/Kconfig
+===================================================================
+--- linux-2.6.22.18.orig/net/ipv4/netfilter/Kconfig
++++ linux-2.6.22.18/net/ipv4/netfilter/Kconfig
+@@ -63,6 +63,12 @@ config IP_NF_MATCH_IPRANGE
+
+ To compile it as a module, choose M here. If unsure, say N.
+config IP_NF_MATCH_IPP2P
+ tristate "IPP2P"
config IP_NF_MATCH_TOS
tristate "TOS match support"
depends on IP_NF_IPTABLES
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile
---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-05-26 20:17:47.638406168 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:21:54.588863992 +0200
-@@ -49,7 +49,7 @@
+Index: linux-2.6.22.18/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.6.22.18.orig/net/ipv4/netfilter/Makefile
++++ linux-2.6.22.18/net/ipv4/netfilter/Makefile
+@@ -49,6 +49,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
--
+obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o
- obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
# targets
+ obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
+++ /dev/null
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h
---- linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h 2007-05-26 20:40:10.922195992 +0200
-@@ -0,0 +1,5 @@
-+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-+# include <linux/netfilter_ipv4/ip_conntrack.h>
-+#else /* linux-2.6.20+ */
-+# include <net/netfilter/nf_nat_rule.h>
-+#endif
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h
---- linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,14 @@
-+/* Out of tree workarounds */
-+#include <linux/version.h>
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-+# define HAVE_MATCHINFOSIZE 1
-+# define HAVE_TARGUSERINFO 1
-+# define HAVE_TARGINFOSIZE 1
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-+# define nfmark mark
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
-+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
-+ tcp_v4_check((tcph_sz), (s), (d), (csp))
-+#endif
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h
---- linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,14 @@
-+#ifndef _LINUX_XT_CHAOS_H
-+#define _LINUX_XT_CHAOS_H 1
-+
-+enum xt_chaos_variant {
-+ XTCHAOS_NORMAL,
-+ XTCHAOS_TARPIT,
-+ XTCHAOS_DELUDE,
-+};
-+
-+struct xt_chaos_info {
-+ enum xt_chaos_variant variant;
-+};
-+
-+#endif /* _LINUX_XT_CHAOS_H */
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h
---- linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,8 @@
-+#ifndef _LINUX_XT_PORTSCAN_H
-+#define _LINUX_XT_PORTSCAN_H 1
-+
-+struct xt_portscan_info {
-+ unsigned int match_stealth, match_syn, match_cn, match_gr;
-+};
-+
-+#endif /* _LINUX_XT_PORTSCAN_H */
-diff -urN linux-2.6.21.1.old/net/netfilter/find_match.c linux-2.6.21.1.dev/net/netfilter/find_match.c
---- linux-2.6.21.1.old/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/find_match.c 2007-05-26 20:40:10.970188696 +0200
-@@ -0,0 +1,39 @@
-+/*
-+ xt_request_find_match
-+ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+
-+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
-+ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/err.h>
-+#include <linux/netfilter_arp.h>
-+#include <linux/socket.h>
-+#include <linux/netfilter/x_tables.h>
-+
-+/*
-+ * Yeah this code is sub-optimal, but the function is missing in
-+ * mainline so far. -jengelh
-+ */
-+static struct xt_match *xt_request_find_match_lo(int af, const char *name,
-+ u8 revision)
-+{
-+ static const char *const xt_prefix[] = {
-+ [AF_INET] = "ip",
-+ [AF_INET6] = "ip6",
-+ [NF_ARP] = "arp",
-+ };
-+ struct xt_match *match;
-+
-+ match = try_then_request_module(xt_find_match(af, name, revision),
-+ "%st_%s", xt_prefix[af], name);
-+ if(IS_ERR(match) || match == NULL)
-+ return NULL;
-+
-+ return match;
-+}
-+
-+/* In case it goes into mainline, let this out-of-tree package compile */
-+#define xt_request_find_match xt_request_find_match_lo
-diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfilter/Kconfig
---- linux-2.6.21.1.old/net/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/Kconfig 2007-05-26 20:40:11.003183680 +0200
-@@ -255,6 +255,14 @@
-
- # alphabetically ordered list of targets
-
-+config NETFILTER_XT_TARGET_CHAOS
-+ tristate '"CHAOS" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `CHAOS' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_CLASSIFY
- tristate '"CLASSIFY" target support'
- depends on NETFILTER_XTABLES
-@@ -282,6 +290,14 @@
- <file:Documentation/kbuild/modules.txt>. The module will be called
- ipt_CONNMARK.ko. If unsure, say `N'.
-
-+config NETFILTER_XT_TARGET_DELUDE
-+ tristate '"DELUDE" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `DELUDE' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_DSCP
- tristate '"DSCP" target support'
- depends on NETFILTER_XTABLES
-@@ -526,6 +542,14 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config NETFILTER_XT_MATCH_PORTSCAN
-+ tristate '"portscan" match support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a 'portscan' match support.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_MATCH_MULTIPORT
- tristate "Multiple port match support"
- depends on NETFILTER_XTABLES
-diff -urN linux-2.6.21.1.old/net/netfilter/Makefile linux-2.6.21.1.dev/net/netfilter/Makefile
---- linux-2.6.21.1.old/net/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/Makefile 2007-05-26 20:40:11.003183680 +0200
-@@ -37,8 +37,10 @@
- obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
-
- # targets
-+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
-+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
-@@ -63,6 +65,7 @@
- obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
-+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c
---- linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,204 @@
-+/*
-+ CHAOS target for netfilter
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/icmp.h>
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter_ipv4/ipt_REJECT.h>
-+#include <net/ip.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+#include "find_match.c"
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+/* Module parameters */
-+static unsigned int reject_percentage = ~0U * .01;
-+static unsigned int delude_percentage = ~0U * .0101;
-+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
-+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
-+
-+/* References to other matches/targets */
-+static struct xt_match *xm_tcp;
-+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
-+
-+static int have_delude, have_tarpit;
-+
-+/* Static data for other matches/targets */
-+static const struct ipt_reject_info reject_params = {
-+ .with = ICMP_HOST_UNREACH,
-+};
-+
-+static const struct xt_tcp tcp_params = {
-+ .spts = {0, ~0},
-+ .dpts = {0, ~0},
-+};
-+
-+/* CHAOS functions */
-+static void xt_chaos_total(const struct xt_chaos_info *info,
-+ struct sk_buff **pskb, const struct net_device *in,
-+ const struct net_device *out, unsigned int hooknum)
-+{
-+ const int protoff = ip_hdrlen(*pskb);
-+ const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET;
-+ const struct xt_target *destiny;
-+ int hotdrop = 0, ret;
-+
-+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
-+ offset, protoff, &hotdrop);
-+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
-+ return;
-+
-+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-+#ifdef HAVE_TARGUSERINFO
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
-+#else
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL);
-+#endif
-+ return;
-+}
-+
-+static unsigned int xt_chaos_target(struct sk_buff **pskb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* Equivalent to:
-+ * -A chaos -m statistic --mode random --probability \
-+ * $reject_percentage -j REJECT --reject-with host-unreach;
-+ * -A chaos -p tcp -m statistic --mode random --probability \
-+ * $delude_percentage -j DELUDE;
-+ * -A chaos -j DROP;
-+ */
-+ const struct xt_chaos_info *info = targinfo;
-+
-+ if((unsigned int)net_random() <= reject_percentage)
-+#ifdef HAVE_TARGUSERINFO
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params, userinfo);
-+#else
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params);
-+#endif
-+
-+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
-+ if(ip_hdr(*pskb)->protocol == IPPROTO_TCP &&
-+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
-+ xt_chaos_total(info, pskb, in, out, hooknum);
-+
-+ return NF_DROP;
-+}
-+
-+static int xt_chaos_checkentry(const char *tablename, const void *entry,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_chaos_info *info = targinfo;
-+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
-+ "DELUDE module not available\n");
-+ return 0;
-+ }
-+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
-+ "TARPIT module not available\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_target xt_chaos_info = {
-+ .name = "CHAOS",
-+ .target = xt_chaos_target,
-+ .checkentry = xt_chaos_checkentry,
-+ .table = "filter",
-+ .targetsize = sizeof(struct xt_chaos_info),
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_chaos_init(void)
-+{
-+ int ret = -EINVAL;
-+
-+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
-+ if(xm_tcp == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"tcp\" match\n");
-+ return -EINVAL;
-+ }
-+
-+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
-+ if(xt_reject == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"REJECT\" target\n");
-+ goto out2;
-+ }
-+
-+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
-+ have_tarpit = xt_tarpit != NULL;
-+ if(!have_tarpit)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"TARPIT\" target\n");
-+
-+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
-+ have_delude = xt_delude != NULL;
-+ if(!have_delude)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"DELUDE\" target\n");
-+
-+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
-+ printk(KERN_WARNING PFX "xt_register_target returned "
-+ "error %d\n", ret);
-+ goto out3;
-+ }
-+
-+ return 0;
-+
-+ out3:
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ module_put(xt_reject->me);
-+ out2:
-+ module_put(xm_tcp->me);
-+ return ret;
-+}
-+
-+static void __exit xt_chaos_exit(void)
-+{
-+ xt_unregister_target(&xt_chaos_info);
-+ module_put(xm_tcp->me);
-+ module_put(xt_reject->me);
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ return;
-+}
-+
-+module_init(xt_chaos_init);
-+module_exit(xt_chaos_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter CHAOS target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_CHAOS");
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c
---- linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,288 @@
-+/*
-+ DELUDE target
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
-+
-+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+ (C) 1999-2001 Paul `Rusty' Russell
-+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
-+
-+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/ip.h>
-+#include <linux/random.h>
-+#include <linux/tcp.h>
-+#include <linux/udp.h>
-+#include <linux/icmp.h>
-+#include <net/icmp.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/route.h>
-+#include <net/dst.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+# include <linux/netfilter_bridge.h>
-+#endif
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+static inline struct rtable *route_reverse(struct sk_buff *skb,
-+ struct tcphdr *tcph, int hook)
-+{
-+ struct iphdr *iph = ip_hdr(skb);
-+ struct dst_entry *odst;
-+ struct flowi fl = {};
-+ struct rtable *rt;
-+
-+ /* We don't require ip forwarding to be enabled to be able to
-+ * send a RST reply for bridged traffic. */
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ ) {
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ if (hook == NF_IP_LOCAL_IN)
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+ } else {
-+ /* non-local src, find valid iif to satisfy
-+ * rp-filter when calling ip_route_input. */
-+ fl.nl_u.ip4_u.daddr = iph->daddr;
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+
-+ odst = skb->dst;
-+ if (ip_route_input(skb, iph->saddr, iph->daddr,
-+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+ dst_release(&rt->u.dst);
-+ rt = (struct rtable *)skb->dst;
-+ skb->dst = odst;
-+
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+ }
-+
-+ if (rt->u.dst.error) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+
-+ fl.proto = IPPROTO_TCP;
-+ fl.fl_ip_sport = tcph->dest;
-+ fl.fl_ip_dport = tcph->source;
-+
-+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-+
-+ return rt;
-+}
-+
-+static void send_reset(struct sk_buff *oldskb, int hook)
-+{
-+ struct sk_buff *nskb;
-+ struct iphdr *iph = ip_hdr(oldskb);
-+ struct tcphdr _otcph, *oth, *tcph;
-+ __be16 tmp_port;
-+ __be32 tmp_addr;
-+ int needs_ack;
-+ unsigned int addr_type;
-+
-+ /* IP header checks: fragment. */
-+ if (iph->frag_off & htons(IP_OFFSET))
-+ return;
-+
-+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
-+ sizeof(_otcph), &_otcph);
-+ if (oth == NULL)
-+ return;
-+
-+ /* No RST for RST. */
-+ if (oth->rst)
-+ return;
-+
-+ /* Check checksum */
-+ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
-+ return;
-+
-+ /* We need a linear, writeable skb. We also need to expand
-+ headroom in case hh_len of incoming interface < hh_len of
-+ outgoing interface */
-+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
-+ GFP_ATOMIC);
-+ if (!nskb)
-+ return;
-+
-+ /* This packet will not be the same as the other: clear nf fields */
-+ nf_reset(nskb);
-+ nskb->nfmark = 0;
-+ skb_init_secmark(nskb);
-+
-+ skb_shinfo(nskb)->gso_size = 0;
-+ skb_shinfo(nskb)->gso_segs = 0;
-+ skb_shinfo(nskb)->gso_type = 0;
-+
-+ tcph = tcp_hdr(nskb);
-+
-+ /* Swap source and dest */
-+ tmp_addr = ip_hdr(nskb)->saddr;
-+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
-+ ip_hdr(nskb)->daddr = tmp_addr;
-+ tmp_port = tcph->source;
-+ tcph->source = tcph->dest;
-+ tcph->dest = tmp_port;
-+
-+ /* Truncate to length (no data) */
-+ tcph->doff = sizeof(struct tcphdr)/4;
-+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
-+ ip_hdr(nskb)->tot_len = htons(nskb->len);
-+
-+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
-+ /* DELUDE essential part */
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
-+ oldskb->len - ip_hdrlen(oldskb) -
-+ (oth->doff << 2));
-+ tcph->seq = htonl(secure_tcp_sequence_number(
-+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
-+ tcph->source, tcph->dest));
-+ tcph->ack = 1;
-+ } else {
-+ if(!tcph->ack) {
-+ needs_ack = 1;
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
-+ + oldskb->len - ip_hdrlen(oldskb)
-+ - (oth->doff<<2));
-+ tcph->seq = 0;
-+ } else {
-+ needs_ack = 0;
-+ tcph->seq = oth->ack_seq;
-+ tcph->ack_seq = 0;
-+ }
-+
-+ /* Reset flags */
-+ ((u_int8_t *)tcph)[13] = 0;
-+ tcph->rst = 1;
-+ tcph->ack = needs_ack;
-+ }
-+
-+
-+ tcph->window = 0;
-+ tcph->urg_ptr = 0;
-+
-+ /* Adjust TCP checksum */
-+ tcph->check = 0;
-+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-+ ip_hdr(nskb)->saddr,
-+ ip_hdr(nskb)->daddr,
-+ csum_partial((char *)tcph,
-+ sizeof(struct tcphdr), 0));
-+
-+ /* Set DF, id = 0 */
-+ ip_hdr(nskb)->frag_off = htons(IP_DF);
-+ ip_hdr(nskb)->id = 0;
-+
-+ addr_type = RTN_UNSPEC;
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ )
-+ addr_type = RTN_LOCAL;
-+
-+ if (ip_route_me_harder(&nskb, addr_type))
-+ goto free_nskb;
-+
-+ nskb->ip_summed = CHECKSUM_NONE;
-+
-+ /* Adjust IP TTL */
-+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
-+
-+ /* Adjust IP checksum */
-+ ip_hdr(nskb)->check = 0;
-+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
-+ ip_hdr(nskb)->ihl);
-+
-+ /* "Never happens" */
-+ if (nskb->len > dst_mtu(nskb->dst))
-+ goto free_nskb;
-+
-+ nf_ct_attach(nskb, oldskb);
-+
-+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
-+ dst_output);
-+ return;
-+
-+ free_nskb:
-+ kfree_skb(nskb);
-+}
-+
-+static unsigned int xt_delude_target(struct sk_buff **pskb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* WARNING: This code causes reentry within iptables.
-+ This means that the iptables jump stack is now crap. We
-+ must return an absolute verdict. --RR */
-+ send_reset(*pskb, hooknum);
-+ return NF_DROP;
-+}
-+
-+static int xt_delude_check(const char *tablename, const void *e_void,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
-+ printk(KERN_WARNING PFX "DELUDE may not be used in chains "
-+ "other than INPUT and FORWARD\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_target xt_delude_info = {
-+ .name = "DELUDE",
-+ .target = xt_delude_target,
-+ .checkentry = xt_delude_check,
-+ .table = "filter",
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_delude_init(void)
-+{
-+ return xt_register_target(&xt_delude_info);
-+}
-+
-+static void __exit xt_delude_exit(void)
-+{
-+ xt_unregister_target(&xt_delude_info);
-+}
-+
-+module_init(xt_delude_init);
-+module_exit(xt_delude_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter DELUDE target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_DELUDE");
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/netfilter/xt_portscan.c
---- linux-2.6.21.1.old/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_portscan.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,272 @@
-+/*
-+ portscan match for netfilter
-+
-+ Written by Jan Engelhardt, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/moduleparam.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/tcp.h>
-+#include <linux/types.h>
-+#include <linux/version.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter/oot_conntrack.h>
-+#include <linux/netfilter/xt_portscan.h>
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+enum {
-+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
-+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
-+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
-+};
-+
-+/* Module parameters */
-+static unsigned int
-+ connmark_mask = ~0,
-+ packet_mask = ~0,
-+ mark_seen = 0x9,
-+ mark_synrcv = 0x1,
-+ mark_closed = 0x2,
-+ mark_synscan = 0x3,
-+ mark_estab1 = 0x4,
-+ mark_estab2 = 0x5,
-+ mark_cnscan = 0x6,
-+ mark_grscan = 0x7,
-+ mark_valid = 0x8;
-+
-+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
-+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
-+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
-+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
-+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
-+MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
-+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
-+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
-+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
-+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
-+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
-+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
-+
-+/* TCP flag functions */
-+static inline int tflg_ack4(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_ack6(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_fin(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
-+}
-+
-+static inline int tflg_rst(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
-+}
-+
-+static inline int tflg_rstack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_ACK | TCP_FLAG_RST);
-+}
-+
-+static inline int tflg_syn(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
-+}
-+
-+static inline int tflg_synack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_SYN | TCP_FLAG_ACK);
-+}
-+
-+/* portscan functions */
-+static inline int xt_portscan_stealth(const struct tcphdr *th)
-+{
-+ /*
-+ * "Connection refused" replies to our own probes must not be matched.
-+ */
-+ if(tflg_rstack(th))
-+ return 0;
-+
-+ if(tflg_rst(th) && printk_ratelimit()) {
-+ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
-+ return 0;
-+ }
-+
-+ /*
-+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
-+ * packets that are not associated with any connection -- this will
-+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
-+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
-+ */
-+ return !tflg_syn(th);
-+}
-+
-+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
-+ int loopback, const struct tcphdr *tcph, int payload_len)
-+{
-+ if(mark == mark_estab2) {
-+ /*
-+ * -m connmark --mark $ESTAB2
-+ */
-+ if(tflg_ack4(tcph) && payload_len == 0)
-+ return mark; /* keep mark */
-+ else if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_grscan;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_estab1) {
-+ /*
-+ * -m connmark --mark $ESTAB1
-+ */
-+ if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_cnscan;
-+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
-+ return mark_estab2;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_synrcv) {
-+ /*
-+ * -m connmark --mark $SYN
-+ */
-+ if(loopback && tflg_synack(tcph))
-+ return mark; /* keep mark */
-+ else if(loopback && tflg_rstack(tcph))
-+ return mark_closed;
-+ else if(tflg_ack6(tcph))
-+ return mark_estab1;
-+ else
-+ return mark_synscan;
-+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
-+ /*
-+ * -p tcp --syn --ctstate NEW
-+ */
-+ return mark_synrcv;
-+ }
-+ return mark;
-+}
-+
-+static int xt_portscan_match(const struct sk_buff *skb,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo, int offset,
-+ unsigned int protoff, int *hotdrop)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+ enum ip_conntrack_info ctstate;
-+ struct nf_conn *ctdata;
-+ const struct tcphdr *tcph;
-+ struct tcphdr tcph_buf;
-+
-+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
-+ if(tcph == NULL)
-+ return 0;
-+
-+ /* Check for invalid packets: -m conntrack --ctstate INVALID */
-+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-+ if(info->match_stealth)
-+ return xt_portscan_stealth(tcph);
-+ /*
-+ * If @ctdata is NULL, we cannot match the other scan
-+ * types, return.
-+ */
-+ return 0;
-+ }
-+
-+ /*
-+ * If -m portscan was previously applied to this packet, the rules we
-+ * simulate must not be run through again. And for speedup, do not call
-+ * it either when the connection is already VALID.
-+ */
-+ if((ctdata->mark & connmark_mask) == mark_valid ||
-+ (skb->nfmark & packet_mask) != mark_seen)
-+ {
-+ unsigned int n;
-+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
-+ in == &loopback_dev, tcph,
-+ skb->len - protoff - 4 * tcph->doff);
-+
-+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-+ ((struct sk_buff *)skb)->nfmark =
-+ (skb->nfmark & ~packet_mask) | mark_seen;
-+ }
-+
-+ return (info->match_syn && ctdata->mark == mark_synscan) ||
-+ (info->match_cn && ctdata->mark == mark_cnscan) ||
-+ (info->match_gr && ctdata->mark == mark_grscan);
-+}
-+
-+static int xt_portscan_checkentry(const char *tablename, const void *entry,
-+ const struct xt_match *match, void *matchinfo,
-+#ifdef HAVE_MATCHINFOSIZE
-+ unsigned int matchinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+#ifdef HAVE_MATCHINFOSIZE
-+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
-+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
-+ matchinfosize,
-+ XT_ALIGN(sizeof(struct xt_portscan_info)));
-+ return 0;
-+ }
-+#endif
-+ if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-+ (info->match_cn & ~1) || (info->match_gr & ~1)) {
-+ printk(KERN_WARNING PFX "Invalid flags\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_match xt_portscan = {
-+ .name = "portscan",
-+ .match = xt_portscan_match,
-+ .checkentry = xt_portscan_checkentry,
-+ .matchsize = sizeof(struct xt_portscan_info),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_portscan_init(void)
-+{
-+ return xt_register_match(&xt_portscan);
-+}
-+
-+static void __exit xt_portscan_exit(void)
-+{
-+ xt_unregister_match(&xt_portscan);
-+ return;
-+}
-+
-+module_init(xt_portscan_init);
-+module_exit(xt_portscan_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter portscan match module");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_portscan");
-diff -urN linux-2.6.22-rc3.old/drivers/char/random.c linux-2.6.22-rc3.dev/drivers/char/random.c
---- linux-2.6.22-rc3.old/drivers/char/random.c 2007-05-26 03:55:14.000000000 +0100
-+++ linux-2.6.22-rc3.dev/drivers/char/random.c 2007-05-29 11:21:53.000000000 +0100
-@@ -1557,6 +1557,8 @@
- return seq;
- }
-
-+EXPORT_SYMBOL(secure_tcp_sequence_number);
-+
- /* Generate secure starting point for ephemeral IPV4 transport port search */
- u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
- {
--- /dev/null
+Index: linux-2.6.22.18/include/linux/netfilter/oot_conntrack.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/oot_conntrack.h
+@@ -0,0 +1,5 @@
++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
++# include <linux/netfilter_ipv4/ip_conntrack.h>
++#else /* linux-2.6.20+ */
++# include <net/netfilter/nf_nat_rule.h>
++#endif
+Index: linux-2.6.22.18/include/linux/netfilter/oot_trans.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/oot_trans.h
+@@ -0,0 +1,14 @@
++/* Out of tree workarounds */
++#include <linux/version.h>
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
++# define HAVE_MATCHINFOSIZE 1
++# define HAVE_TARGUSERINFO 1
++# define HAVE_TARGINFOSIZE 1
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
++# define nfmark mark
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
++ tcp_v4_check((tcph_sz), (s), (d), (csp))
++#endif
+Index: linux-2.6.22.18/include/linux/netfilter/xt_CHAOS.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/xt_CHAOS.h
+@@ -0,0 +1,14 @@
++#ifndef _LINUX_NETFILTER_XT_CHAOS_H
++#define _LINUX_NETFILTER_XT_CHAOS_H 1
++
++enum xt_chaos_target_variant {
++ XTCHAOS_NORMAL,
++ XTCHAOS_TARPIT,
++ XTCHAOS_DELUDE,
++};
++
++struct xt_chaos_target_info {
++ uint8_t variant;
++};
++
++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
+Index: linux-2.6.22.18/include/linux/netfilter/xt_portscan.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/xt_portscan.h
+@@ -0,0 +1,8 @@
++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
++
++struct xt_portscan_match_info {
++ uint8_t match_stealth, match_syn, match_cn, match_gr;
++};
++
++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
+Index: linux-2.6.22.18/net/netfilter/find_match.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/find_match.c
+@@ -0,0 +1,39 @@
++/*
++ xt_request_find_match
++ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++
++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
++ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License version 2 as
++ published by the Free Software Foundation.
++*/
++#include <linux/err.h>
++#include <linux/netfilter_arp.h>
++#include <linux/socket.h>
++#include <linux/netfilter/x_tables.h>
++
++/*
++ * Yeah this code is sub-optimal, but the function is missing in
++ * mainline so far. -jengelh
++ */
++static struct xt_match *xt_request_find_match_lo(int af, const char *name,
++ u8 revision)
++{
++ static const char *const xt_prefix[] = {
++ [AF_INET] = "ip",
++ [AF_INET6] = "ip6",
++ [NF_ARP] = "arp",
++ };
++ struct xt_match *match;
++
++ match = try_then_request_module(xt_find_match(af, name, revision),
++ "%st_%s", xt_prefix[af], name);
++ if (IS_ERR(match) || match == NULL)
++ return NULL;
++
++ return match;
++}
++
++/* In case it goes into mainline, let this out-of-tree package compile */
++#define xt_request_find_match xt_request_find_match_lo
+Index: linux-2.6.22.18/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/Kconfig
++++ linux-2.6.22.18/net/netfilter/Kconfig
+@@ -255,6 +255,14 @@ config NETFILTER_XTABLES
+
+ # alphabetically ordered list of targets
+
++config NETFILTER_XT_TARGET_CHAOS
++ tristate '"CHAOS" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `CHAOS' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_CLASSIFY
+ tristate '"CLASSIFY" target support'
+ depends on NETFILTER_XTABLES
+@@ -282,6 +290,14 @@ config NETFILTER_XT_TARGET_CONNMARK
+ <file:Documentation/kbuild/modules.txt>. The module will be called
+ ipt_CONNMARK.ko. If unsure, say `N'.
+
++config NETFILTER_XT_TARGET_DELUDE
++ tristate '"DELUDE" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `DELUDE' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_DSCP
+ tristate '"DSCP" target support'
+ depends on NETFILTER_XTABLES
+@@ -526,6 +542,14 @@ config NETFILTER_XT_MATCH_POLICY
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_PORTSCAN
++ tristate '"portscan" match support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a 'portscan' match support.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_MATCH_MULTIPORT
+ tristate "Multiple port match support"
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.22.18/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/Makefile
++++ linux-2.6.22.18/net/netfilter/Makefile
+@@ -47,6 +47,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
+
+ # matches
+ obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+@@ -74,3 +76,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING)
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
+Index: linux-2.6.22.18/net/netfilter/xt_CHAOS.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/xt_CHAOS.c
+@@ -0,0 +1,200 @@
++/*
++ * CHAOS target for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/icmp.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <linux/netfilter_ipv4/ipt_REJECT.h>
++#include <net/ip.h>
++#if defined(_LOCAL)
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
++# include <linux/netfilter/xt_CHAOS.h>
++# include "find_match.c"
++#else
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++/* Module parameters */
++static unsigned int reject_percentage = ~0U * .01;
++static unsigned int delude_percentage = ~0U * .0101;
++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
++
++/* References to other matches/targets */
++static struct xt_match *xm_tcp;
++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
++
++static int have_delude, have_tarpit;
++
++/* Static data for other matches/targets */
++static const struct ipt_reject_info reject_params = {
++ .with = ICMP_HOST_UNREACH,
++};
++
++static const struct xt_tcp tcp_params = {
++ .spts = {0, ~0},
++ .dpts = {0, ~0},
++};
++
++/* CHAOS functions */
++static void xt_chaos_total(const struct xt_chaos_target_info *info,
++ struct sk_buff **pskb, const struct net_device *in,
++ const struct net_device *out, unsigned int hooknum)
++{
++ const struct iphdr *iph = ip_hdr(*pskb);
++ const int protoff = 4 * iph->ihl;
++ const int offset = ntohs(iph->frag_off) & IP_OFFSET;
++ const struct xt_target *destiny;
++ int hotdrop = 0, ret;
++
++ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
++ offset, protoff, &hotdrop);
++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
++ return;
++
++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
++ destiny->target(pskb, in, out, hooknum, destiny, NULL);
++ return;
++}
++
++static unsigned int chaos_tg(struct sk_buff **pskb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /*
++ * Equivalent to:
++ * -A chaos -m statistic --mode random --probability \
++ * $reject_percentage -j REJECT --reject-with host-unreach;
++ * -A chaos -p tcp -m statistic --mode random --probability \
++ * $delude_percentage -j DELUDE;
++ * -A chaos -j DROP;
++ */
++ const struct xt_chaos_target_info *info = targinfo;
++ const struct iphdr *iph = ip_hdr(*pskb);
++
++ if ((unsigned int)net_random() <= reject_percentage)
++ return xt_reject->target(pskb, in, out, hooknum, target,
++ &reject_params);
++
++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
++ if (iph->protocol == IPPROTO_TCP &&
++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
++ xt_chaos_total(info, pskb, in, out, hooknum);
++
++ return NF_DROP;
++}
++
++static int chaos_tg_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo, unsigned int hook_mask)
++{
++ const struct xt_chaos_target_info *info = targinfo;
++
++ if (info->variant == XTCHAOS_DELUDE && !have_delude) {
++ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
++ "DELUDE module not available\n");
++ return false;
++ }
++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
++ "TARPIT module not available\n");
++ return false;
++ }
++
++ return true;
++}
++
++static struct xt_target chaos_tg_reg = {
++ .name = "CHAOS",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
++ (1 << NF_IP_LOCAL_OUT),
++ .checkentry = chaos_tg_check,
++ .target = chaos_tg,
++ .targetsize = sizeof(struct xt_chaos_target_info),
++ .me = THIS_MODULE,
++};
++
++static int __init chaos_tg_init(void)
++{
++ int ret = -EINVAL;
++
++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
++ if (xm_tcp == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"tcp\" match\n");
++ return -EINVAL;
++ }
++
++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
++ if (xt_reject == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"REJECT\" target\n");
++ goto out2;
++ }
++
++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
++ have_tarpit = xt_tarpit != NULL;
++ if (!have_tarpit)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"TARPIT\" target\n");
++
++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
++ have_delude = xt_delude != NULL;
++ if (!have_delude)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"DELUDE\" target\n");
++
++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
++ printk(KERN_WARNING PFX "xt_register_target returned "
++ "error %d\n", ret);
++ goto out3;
++ }
++
++ return 0;
++
++ out3:
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ module_put(xt_reject->me);
++ out2:
++ module_put(xm_tcp->me);
++ return ret;
++}
++
++static void __exit chaos_tg_exit(void)
++{
++ xt_unregister_target(&chaos_tg_reg);
++ module_put(xm_tcp->me);
++ module_put(xt_reject->me);
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ return;
++}
++
++module_init(chaos_tg_init);
++module_exit(chaos_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_CHAOS");
+Index: linux-2.6.22.18/net/netfilter/xt_DELUDE.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/xt_DELUDE.c
+@@ -0,0 +1,197 @@
++/*
++ * DELUDE target
++ * Copyright © CC Computer Consultants GmbH, 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++ * (C) 1999-2001 Paul `Rusty' Russell
++ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++ *
++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <linux/tcp.h>
++#include <linux/netfilter/x_tables.h>
++#ifdef CONFIG_BRIDGE_NETFILTER
++# include <linux/netfilter_bridge.h>
++#endif
++#include <net/tcp.h>
++#define PFX KBUILD_MODNAME ": "
++
++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
++{
++ struct tcphdr _otcph, *oth, *tcph;
++ unsigned int addr_type;
++ struct sk_buff *nskb;
++ u_int16_t tmp_port;
++ u_int32_t tmp_addr;
++ struct iphdr *niph;
++ bool needs_ack;
++
++ /* IP header checks: fragment. */
++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
++ return;
++
++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
++ sizeof(_otcph), &_otcph);
++ if (oth == NULL)
++ return;
++
++ /* No RST for RST. */
++ if (oth->rst)
++ return;
++
++ /* Check checksum */
++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
++ return;
++
++ /* We need a linear, writeable skb. We also need to expand
++ headroom in case hh_len of incoming interface < hh_len of
++ outgoing interface */
++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
++ GFP_ATOMIC);
++ if (!nskb)
++ return;
++
++ /* This packet will not be the same as the other: clear nf fields */
++ nf_reset(nskb);
++ nskb->mark = 0;
++ skb_init_secmark(nskb);
++
++ skb_shinfo(nskb)->gso_size = 0;
++ skb_shinfo(nskb)->gso_segs = 0;
++ skb_shinfo(nskb)->gso_type = 0;
++
++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
++
++ /* Swap source and dest */
++ niph = ip_hdr(nskb);
++ tmp_addr = niph->saddr;
++ niph->saddr = niph->daddr;
++ niph->daddr = tmp_addr;
++ tmp_port = tcph->source;
++ tcph->source = tcph->dest;
++ tcph->dest = tmp_port;
++
++ /* Truncate to length (no data) */
++ tcph->doff = sizeof(struct tcphdr) / 4;
++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
++ niph->tot_len = htons(nskb->len);
++
++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++ /* DELUDE essential part */
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
++ oldskb->len - ip_hdrlen(oldskb) -
++ (oth->doff << 2));
++ tcph->seq = false;
++ tcph->ack = true;
++ } else {
++ if (!tcph->ack) {
++ needs_ack = true;
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
++ oth->fin + oldskb->len -
++ ip_hdrlen(oldskb) - (oth->doff<<2));
++ tcph->seq = false;
++ } else {
++ needs_ack = false;
++ tcph->seq = oth->ack_seq;
++ tcph->ack_seq = false;
++ }
++
++ /* Reset flags */
++ ((u_int8_t *)tcph)[13] = 0;
++ tcph->rst = true;
++ tcph->ack = needs_ack;
++ }
++
++ tcph->window = 0;
++ tcph->urg_ptr = 0;
++
++ /* Adjust TCP checksum */
++ tcph->check = 0;
++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
++ niph->daddr, csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
++
++ /* Set DF, id = 0 */
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
++
++ addr_type = RTN_UNSPEC;
++#ifdef CONFIG_BRIDGE_NETFILTER
++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
++ nskb->nf_bridge->mask & BRNF_BRIDGED))
++#else
++ if (hook != NF_IP_FORWARD)
++#endif
++ addr_type = RTN_LOCAL;
++
++ if (ip_route_me_harder(&nskb, addr_type))
++ goto free_nskb;
++
++ nskb->ip_summed = CHECKSUM_NONE;
++
++ /* Adjust IP TTL */
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++
++ /* Adjust IP checksum */
++ niph->check = 0;
++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
++
++ /* "Never happens" */
++ if (nskb->len > dst_mtu(nskb->dst))
++ goto free_nskb;
++
++ nf_ct_attach(nskb, oldskb);
++
++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
++ dst_output);
++ return;
++
++ free_nskb:
++ kfree_skb(nskb);
++}
++
++static unsigned int delude_tg(struct sk_buff **pskb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /* WARNING: This code causes reentry within iptables.
++ This means that the iptables jump stack is now crap. We
++ must return an absolute verdict. --RR */
++ delude_send_reset(*pskb, hooknum);
++ return NF_DROP;
++}
++
++static struct xt_target delude_tg_reg = {
++ .name = "DELUDE",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
++ .target = delude_tg,
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init delude_tg_init(void)
++{
++ return xt_register_target(&delude_tg_reg);
++}
++
++static void __exit delude_tg_exit(void)
++{
++ xt_unregister_target(&delude_tg_reg);
++}
++
++module_init(delude_tg_init);
++module_exit(delude_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_DELUDE");
+Index: linux-2.6.22.18/net/netfilter/xt_portscan.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/xt_portscan.c
+@@ -0,0 +1,269 @@
++/*
++ * portscan match for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/moduleparam.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/tcp.h>
++#include <linux/types.h>
++#include <linux/version.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <net/netfilter/nf_nat_rule.h>
++#if defined(_LOCAL)
++# include "xt_portscan.h"
++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
++# include <linux/netfilter/xt_portscan.h>
++#else
++# include "xt_portscan.h"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++enum {
++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
++};
++
++/* Module parameters */
++static unsigned int
++ connmark_mask = ~0,
++ packet_mask = ~0,
++ mark_seen = 0x9,
++ mark_synrcv = 0x1,
++ mark_closed = 0x2,
++ mark_synscan = 0x3,
++ mark_estab1 = 0x4,
++ mark_estab2 = 0x5,
++ mark_cnscan = 0x6,
++ mark_grscan = 0x7,
++ mark_valid = 0x8;
++
++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
++module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
++module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
++module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
++MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
++
++/* TCP flag functions */
++static inline bool tflg_ack4(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_ack6(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_fin(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
++}
++
++static inline bool tflg_rst(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
++}
++
++static inline bool tflg_rstack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_ACK | TCP_FLAG_RST);
++}
++
++static inline bool tflg_syn(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
++}
++
++static inline bool tflg_synack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_SYN | TCP_FLAG_ACK);
++}
++
++/* portscan functions */
++static inline bool portscan_mt_stealth(const struct tcphdr *th)
++{
++ /*
++ * "Connection refused" replies to our own probes must not be matched.
++ */
++ if (tflg_rstack(th))
++ return false;
++
++ if (tflg_rst(th) && printk_ratelimit()) {
++ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
++ return false;
++ }
++
++ /*
++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
++ * packets that are not associated with any connection -- this will
++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
++ */
++ return !tflg_syn(th);
++}
++
++static inline unsigned int portscan_mt_full(int mark,
++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
++ unsigned int payload_len)
++{
++ if (mark == mark_estab2) {
++ /*
++ * -m connmark --mark $ESTAB2
++ */
++ if (tflg_ack4(tcph) && payload_len == 0)
++ return mark; /* keep mark */
++ else if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_grscan;
++ else
++ return mark_valid;
++ } else if (mark == mark_estab1) {
++ /*
++ * -m connmark --mark $ESTAB1
++ */
++ if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_cnscan;
++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
++ return mark_estab2;
++ else
++ return mark_valid;
++ } else if (mark == mark_synrcv) {
++ /*
++ * -m connmark --mark $SYN
++ */
++ if (loopback && tflg_synack(tcph))
++ return mark; /* keep mark */
++ else if (loopback && tflg_rstack(tcph))
++ return mark_closed;
++ else if (tflg_ack6(tcph))
++ return mark_estab1;
++ else
++ return mark_synscan;
++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
++ /*
++ * -p tcp --syn --ctstate NEW
++ */
++ return mark_synrcv;
++ }
++ return mark;
++}
++
++static int portscan_mt(const struct sk_buff *skb,
++ const struct net_device *in, const struct net_device *out,
++ const struct xt_match *match, const void *matchinfo, int offset,
++ unsigned int protoff, int *hotdrop)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++ enum ip_conntrack_info ctstate;
++ const struct tcphdr *tcph;
++ struct nf_conn *ctdata;
++ struct tcphdr tcph_buf;
++
++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
++ if (tcph == NULL)
++ return false;
++
++ /* Check for invalid packets: -m conntrack --ctstate INVALID */
++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
++ if (info->match_stealth)
++ return portscan_mt_stealth(tcph);
++ /*
++ * If @ctdata is NULL, we cannot match the other scan
++ * types, return.
++ */
++ return false;
++ }
++
++ /*
++ * If -m portscan was previously applied to this packet, the rules we
++ * simulate must not be run through again. And for speedup, do not call
++ * it either when the connection is already VALID.
++ */
++ if ((ctdata->mark & connmark_mask) == mark_valid ||
++ (skb->mark & packet_mask) != mark_seen) {
++ unsigned int n;
++
++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
++ in == &loopback_dev, tcph,
++ skb->len - protoff - 4 * tcph->doff);
++
++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
++ ((struct sk_buff *)skb)->mark =
++ (skb->mark & ~packet_mask) ^ mark_seen;
++ }
++
++ return (info->match_syn && ctdata->mark == mark_synscan) ||
++ (info->match_cn && ctdata->mark == mark_cnscan) ||
++ (info->match_gr && ctdata->mark == mark_grscan);
++}
++
++static int portscan_mt_check(const char *tablename, const void *entry,
++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++
++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
++ (info->match_cn & ~1) || (info->match_gr & ~1)) {
++ printk(KERN_WARNING PFX "Invalid flags\n");
++ return false;
++ }
++ return true;
++}
++
++static struct xt_match portscan_mt_reg __read_mostly = {
++ .name = "portscan",
++ .family = AF_INET,
++ .match = portscan_mt,
++ .checkentry = portscan_mt_check,
++ .matchsize = sizeof(struct xt_portscan_match_info),
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init portscan_mt_init(void)
++{
++ return xt_register_match(&portscan_mt_reg);
++}
++
++static void __exit portscan_mt_exit(void)
++{
++ xt_unregister_match(&portscan_mt_reg);
++ return;
++}
++
++module_init(portscan_mt_init);
++module_exit(portscan_mt_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"portscan\" match");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_portscan");
+Index: linux-2.6.22.18/drivers/char/random.c
+===================================================================
+--- linux-2.6.22.18.orig/drivers/char/random.c
++++ linux-2.6.22.18/drivers/char/random.c
+@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32
+ return seq;
+ }
+
++EXPORT_SYMBOL(secure_tcp_sequence_number);
++
+ /* Generate secure starting point for ephemeral IPV4 transport port search */
+ u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+ {
-Index: linux-2.6.22.4/net/netfilter/Kconfig
+Index: linux-2.6.22.18/net/netfilter/Kconfig
===================================================================
---- linux-2.6.22.4.orig/net/netfilter/Kconfig
-+++ linux-2.6.22.4/net/netfilter/Kconfig
+--- linux-2.6.22.18.orig/net/netfilter/Kconfig
++++ linux-2.6.22.18/net/netfilter/Kconfig
@@ -379,6 +379,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_TARGET_TCPMSS
tristate '"TCPMSS" target support'
depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
-Index: linux-2.6.22.4/net/netfilter/Makefile
+Index: linux-2.6.22.18/net/netfilter/Makefile
===================================================================
---- linux-2.6.22.4.orig/net/netfilter/Makefile
-+++ linux-2.6.22.4/net/netfilter/Makefile
-@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE
+--- linux-2.6.22.18.orig/net/netfilter/Makefile
++++ linux-2.6.22.18/net/netfilter/Makefile
+@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE
obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
-
-Index: linux-2.6.22.4/net/netfilter/xt_TARPIT.c
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
+Index: linux-2.6.22.18/net/netfilter/xt_TARPIT.c
===================================================================
--- /dev/null
-+++ linux-2.6.22.4/net/netfilter/xt_TARPIT.c
++++ linux-2.6.22.18/net/netfilter/xt_TARPIT.c
@@ -0,0 +1,280 @@
+/*
+ * Kernel module to capture and hold incoming TCP connections using
+ return NF_DROP;
+}
+
-+static bool xt_tarpit_check(const char *tablename, const void *entry,
++static int xt_tarpit_check(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
+{
--- /dev/null
+Index: linux-2.6.23.16/include/linux/netfilter/xt_layer7.h
+===================================================================
+--- linux-2.6.23.16.orig/include/linux/netfilter/xt_layer7.h
++++ linux-2.6.23.16/include/linux/netfilter/xt_layer7.h
+@@ -8,6 +8,7 @@ struct xt_layer7_info {
+ char protocol[MAX_PROTOCOL_LEN];
+ char pattern[MAX_PATTERN_LEN];
+ u_int8_t invert;
++ u_int8_t pkt;
+ };
+
+ #endif /* _XT_LAYER7_H */
+Index: linux-2.6.23.16/net/netfilter/xt_layer7.c
+===================================================================
+--- linux-2.6.23.16.orig/net/netfilter/xt_layer7.c
++++ linux-2.6.23.16/net/netfilter/xt_layer7.c
+@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
+ }
+
+ /* add the new app data to the conntrack. Return number of bytes added. */
+-static int add_data(struct nf_conn * master_conntrack,
+- char * app_data, int appdatalen)
++static int add_datastr(char *target, int offset, char *app_data, int len)
+ {
+ int length = 0, i;
+- int oldlength = master_conntrack->layer7.app_data_len;
+-
+- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
+- clear on whether the race condition exists or whether this really
+- fixes it. I might just be being dense... Anyway, if it's not really
+- a fix, all it does is waste a very small amount of time. */
+- if(!master_conntrack->layer7.app_data) return 0;
++
++ if (!target) return 0;
+
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
+ do case insensitivity). Add it to the end of the current data. */
+- for(i = 0; i < maxdatalen-oldlength-1 &&
+- i < appdatalen; i++) {
++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
+ if(app_data[i] != '\0') {
+ /* the kernel version of tolower mungs 'upper ascii' */
+- master_conntrack->layer7.app_data[length+oldlength] =
++ target[length+offset] =
+ isascii(app_data[i])?
+ tolower(app_data[i]) : app_data[i];
+ length++;
+ }
+ }
++ target[length+offset] = '\0';
++
++ return length;
++}
+
+- master_conntrack->layer7.app_data[length+oldlength] = '\0';
+- master_conntrack->layer7.app_data_len = length + oldlength;
++/* add the new app data to the conntrack. Return number of bytes added. */
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
++{
++ int length;
+
++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
++ master_conntrack->layer7.app_data_len += length;
+ return length;
+ }
+
+@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
+ const struct xt_layer7_info * info = matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack;
+- unsigned char * app_data;
++ unsigned char *app_data, *tmp_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
+
+@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
+ master_conntrack = master_ct(master_conntrack);
+
+ /* if we've classified it or seen too many packets */
+- if(TOTAL_PACKETS > num_packets ||
+- master_conntrack->layer7.app_proto) {
++ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
++ master_conntrack->layer7.app_proto)) {
+
+ pattern_result = match_no_append(conntrack, master_conntrack,
+ ctinfo, master_ctinfo, info);
+@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
+
++ if (info->pkt) {
++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!tmp_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
++ return info->invert;
++ }
++
++ tmp_data[0] = '\0';
++ add_datastr(tmp_data, 0, app_data, appdatalen);
++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++
++ kfree(tmp_data);
++ tmp_data = NULL;
++ spin_unlock_bh(&l7_lock);
++
++ return (pattern_result ^ info->invert);
++ }
++
+ /* On the first packet of a connection, allocate space for app data */
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ !master_conntrack->layer7.app_data){
+++ /dev/null
-Index: linux-2.6.23/include/linux/netfilter/oot_conntrack.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/oot_conntrack.h 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,5 @@
-+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-+# include <linux/netfilter_ipv4/ip_conntrack.h>
-+#else /* linux-2.6.20+ */
-+# include <net/netfilter/nf_nat_rule.h>
-+#endif
-Index: linux-2.6.23/include/linux/netfilter/oot_trans.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/oot_trans.h 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,14 @@
-+/* Out of tree workarounds */
-+#include <linux/version.h>
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-+# define HAVE_MATCHINFOSIZE 1
-+# define HAVE_TARGUSERINFO 1
-+# define HAVE_TARGINFOSIZE 1
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-+# define nfmark mark
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
-+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
-+ tcp_v4_check((tcph_sz), (s), (d), (csp))
-+#endif
-Index: linux-2.6.23/include/linux/netfilter/xt_CHAOS.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/xt_CHAOS.h 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,14 @@
-+#ifndef _LINUX_XT_CHAOS_H
-+#define _LINUX_XT_CHAOS_H 1
-+
-+enum xt_chaos_variant {
-+ XTCHAOS_NORMAL,
-+ XTCHAOS_TARPIT,
-+ XTCHAOS_DELUDE,
-+};
-+
-+struct xt_chaos_info {
-+ enum xt_chaos_variant variant;
-+};
-+
-+#endif /* _LINUX_XT_CHAOS_H */
-Index: linux-2.6.23/include/linux/netfilter/xt_portscan.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/xt_portscan.h 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,8 @@
-+#ifndef _LINUX_XT_PORTSCAN_H
-+#define _LINUX_XT_PORTSCAN_H 1
-+
-+struct xt_portscan_info {
-+ unsigned int match_stealth, match_syn, match_cn, match_gr;
-+};
-+
-+#endif /* _LINUX_XT_PORTSCAN_H */
-Index: linux-2.6.23/net/netfilter/find_match.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/find_match.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,39 @@
-+/*
-+ xt_request_find_match
-+ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+
-+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
-+ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/err.h>
-+#include <linux/netfilter_arp.h>
-+#include <linux/socket.h>
-+#include <linux/netfilter/x_tables.h>
-+
-+/*
-+ * Yeah this code is sub-optimal, but the function is missing in
-+ * mainline so far. -jengelh
-+ */
-+static struct xt_match *xt_request_find_match_lo(int af, const char *name,
-+ u8 revision)
-+{
-+ static const char *const xt_prefix[] = {
-+ [AF_INET] = "ip",
-+ [AF_INET6] = "ip6",
-+ [NF_ARP] = "arp",
-+ };
-+ struct xt_match *match;
-+
-+ match = try_then_request_module(xt_find_match(af, name, revision),
-+ "%st_%s", xt_prefix[af], name);
-+ if(IS_ERR(match) || match == NULL)
-+ return NULL;
-+
-+ return match;
-+}
-+
-+/* In case it goes into mainline, let this out-of-tree package compile */
-+#define xt_request_find_match xt_request_find_match_lo
-Index: linux-2.6.23/net/netfilter/Kconfig
-===================================================================
---- linux-2.6.23.orig/net/netfilter/Kconfig 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/net/netfilter/Kconfig 2007-10-10 13:53:04.000000000 +0800
-@@ -265,6 +265,14 @@
-
- # alphabetically ordered list of targets
-
-+config NETFILTER_XT_TARGET_CHAOS
-+ tristate '"CHAOS" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `CHAOS' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_CLASSIFY
- tristate '"CLASSIFY" target support'
- depends on NETFILTER_XTABLES
-@@ -292,6 +300,14 @@
- <file:Documentation/kbuild/modules.txt>. The module will be called
- ipt_CONNMARK.ko. If unsure, say `N'.
-
-+config NETFILTER_XT_TARGET_DELUDE
-+ tristate '"DELUDE" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `DELUDE' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_DSCP
- tristate '"DSCP" target support'
- depends on NETFILTER_XTABLES
-@@ -556,6 +572,14 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config NETFILTER_XT_MATCH_PORTSCAN
-+ tristate '"portscan" match support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a 'portscan' match support.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_MATCH_MULTIPORT
- tristate "Multiple port match support"
- depends on NETFILTER_XTABLES
-Index: linux-2.6.23/net/netfilter/Makefile
-===================================================================
---- linux-2.6.23.orig/net/netfilter/Makefile 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/net/netfilter/Makefile 2007-10-10 13:52:59.000000000 +0800
-@@ -38,8 +38,10 @@
- obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
-
- # targets
-+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
-+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
-@@ -66,6 +68,7 @@
- obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
-+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
-Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_CHAOS.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,205 @@
-+/*
-+ CHAOS target for netfilter
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/icmp.h>
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter_ipv4/ipt_REJECT.h>
-+#include <net/ip.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+#include "find_match.c"
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+/* Module parameters */
-+static unsigned int reject_percentage = ~0U * .01;
-+static unsigned int delude_percentage = ~0U * .0101;
-+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
-+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
-+
-+/* References to other matches/targets */
-+static struct xt_match *xm_tcp;
-+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
-+
-+static int have_delude, have_tarpit;
-+
-+/* Static data for other matches/targets */
-+static const struct ipt_reject_info reject_params = {
-+ .with = ICMP_HOST_UNREACH,
-+};
-+
-+static const struct xt_tcp tcp_params = {
-+ .spts = {0, ~0},
-+ .dpts = {0, ~0},
-+};
-+
-+/* CHAOS functions */
-+static void xt_chaos_total(const struct xt_chaos_info *info,
-+ struct sk_buff **pskb, const struct net_device *in,
-+ const struct net_device *out, unsigned int hooknum)
-+{
-+ const int protoff = ip_hdrlen(*pskb);
-+ const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET;
-+ const struct xt_target *destiny;
-+ bool hotdrop = false;
-+ int ret;
-+
-+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
-+ offset, protoff, &hotdrop);
-+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
-+ return;
-+
-+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-+#ifdef HAVE_TARGUSERINFO
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
-+#else
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL);
-+#endif
-+ return;
-+}
-+
-+static unsigned int xt_chaos_target(struct sk_buff **pskb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* Equivalent to:
-+ * -A chaos -m statistic --mode random --probability \
-+ * $reject_percentage -j REJECT --reject-with host-unreach;
-+ * -A chaos -p tcp -m statistic --mode random --probability \
-+ * $delude_percentage -j DELUDE;
-+ * -A chaos -j DROP;
-+ */
-+ const struct xt_chaos_info *info = targinfo;
-+
-+ if((unsigned int)net_random() <= reject_percentage)
-+#ifdef HAVE_TARGUSERINFO
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params, userinfo);
-+#else
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params);
-+#endif
-+
-+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
-+ if(ip_hdr(*pskb)->protocol == IPPROTO_TCP &&
-+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
-+ xt_chaos_total(info, pskb, in, out, hooknum);
-+
-+ return NF_DROP;
-+}
-+
-+static bool xt_chaos_checkentry(const char *tablename, const void *entry,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_chaos_info *info = targinfo;
-+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
-+ "DELUDE module not available\n");
-+ return false;
-+ }
-+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
-+ "TARPIT module not available\n");
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static struct xt_target xt_chaos_info = {
-+ .name = "CHAOS",
-+ .target = xt_chaos_target,
-+ .checkentry = xt_chaos_checkentry,
-+ .table = "filter",
-+ .targetsize = sizeof(struct xt_chaos_info),
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_chaos_init(void)
-+{
-+ int ret = -EINVAL;
-+
-+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
-+ if(xm_tcp == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"tcp\" match\n");
-+ return -EINVAL;
-+ }
-+
-+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
-+ if(xt_reject == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"REJECT\" target\n");
-+ goto out2;
-+ }
-+
-+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
-+ have_tarpit = xt_tarpit != NULL;
-+ if(!have_tarpit)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"TARPIT\" target\n");
-+
-+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
-+ have_delude = xt_delude != NULL;
-+ if(!have_delude)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"DELUDE\" target\n");
-+
-+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
-+ printk(KERN_WARNING PFX "xt_register_target returned "
-+ "error %d\n", ret);
-+ goto out3;
-+ }
-+
-+ return 0;
-+
-+ out3:
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ module_put(xt_reject->me);
-+ out2:
-+ module_put(xm_tcp->me);
-+ return ret;
-+}
-+
-+static void __exit xt_chaos_exit(void)
-+{
-+ xt_unregister_target(&xt_chaos_info);
-+ module_put(xm_tcp->me);
-+ module_put(xt_reject->me);
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ return;
-+}
-+
-+module_init(xt_chaos_init);
-+module_exit(xt_chaos_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter CHAOS target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_CHAOS");
-Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_DELUDE.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,288 @@
-+/*
-+ DELUDE target
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
-+
-+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+ (C) 1999-2001 Paul `Rusty' Russell
-+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
-+
-+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/ip.h>
-+#include <linux/random.h>
-+#include <linux/tcp.h>
-+#include <linux/udp.h>
-+#include <linux/icmp.h>
-+#include <net/icmp.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/route.h>
-+#include <net/dst.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+# include <linux/netfilter_bridge.h>
-+#endif
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+static inline struct rtable *route_reverse(struct sk_buff *skb,
-+ struct tcphdr *tcph, int hook)
-+{
-+ struct iphdr *iph = ip_hdr(skb);
-+ struct dst_entry *odst;
-+ struct flowi fl = {};
-+ struct rtable *rt;
-+
-+ /* We don't require ip forwarding to be enabled to be able to
-+ * send a RST reply for bridged traffic. */
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ ) {
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ if (hook == NF_IP_LOCAL_IN)
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+ } else {
-+ /* non-local src, find valid iif to satisfy
-+ * rp-filter when calling ip_route_input. */
-+ fl.nl_u.ip4_u.daddr = iph->daddr;
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+
-+ odst = skb->dst;
-+ if (ip_route_input(skb, iph->saddr, iph->daddr,
-+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+ dst_release(&rt->u.dst);
-+ rt = (struct rtable *)skb->dst;
-+ skb->dst = odst;
-+
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+ }
-+
-+ if (rt->u.dst.error) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+
-+ fl.proto = IPPROTO_TCP;
-+ fl.fl_ip_sport = tcph->dest;
-+ fl.fl_ip_dport = tcph->source;
-+
-+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-+
-+ return rt;
-+}
-+
-+static void send_reset(struct sk_buff *oldskb, int hook)
-+{
-+ struct sk_buff *nskb;
-+ struct iphdr *iph = ip_hdr(oldskb);
-+ struct tcphdr _otcph, *oth, *tcph;
-+ __be16 tmp_port;
-+ __be32 tmp_addr;
-+ int needs_ack;
-+ unsigned int addr_type;
-+
-+ /* IP header checks: fragment. */
-+ if (iph->frag_off & htons(IP_OFFSET))
-+ return;
-+
-+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
-+ sizeof(_otcph), &_otcph);
-+ if (oth == NULL)
-+ return;
-+
-+ /* No RST for RST. */
-+ if (oth->rst)
-+ return;
-+
-+ /* Check checksum */
-+ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
-+ return;
-+
-+ /* We need a linear, writeable skb. We also need to expand
-+ headroom in case hh_len of incoming interface < hh_len of
-+ outgoing interface */
-+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
-+ GFP_ATOMIC);
-+ if (!nskb)
-+ return;
-+
-+ /* This packet will not be the same as the other: clear nf fields */
-+ nf_reset(nskb);
-+ nskb->nfmark = 0;
-+ skb_init_secmark(nskb);
-+
-+ skb_shinfo(nskb)->gso_size = 0;
-+ skb_shinfo(nskb)->gso_segs = 0;
-+ skb_shinfo(nskb)->gso_type = 0;
-+
-+ tcph = tcp_hdr(nskb);
-+
-+ /* Swap source and dest */
-+ tmp_addr = ip_hdr(nskb)->saddr;
-+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
-+ ip_hdr(nskb)->daddr = tmp_addr;
-+ tmp_port = tcph->source;
-+ tcph->source = tcph->dest;
-+ tcph->dest = tmp_port;
-+
-+ /* Truncate to length (no data) */
-+ tcph->doff = sizeof(struct tcphdr)/4;
-+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
-+ ip_hdr(nskb)->tot_len = htons(nskb->len);
-+
-+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
-+ /* DELUDE essential part */
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
-+ oldskb->len - ip_hdrlen(oldskb) -
-+ (oth->doff << 2));
-+ tcph->seq = htonl(secure_tcp_sequence_number(
-+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
-+ tcph->source, tcph->dest));
-+ tcph->ack = 1;
-+ } else {
-+ if(!tcph->ack) {
-+ needs_ack = 1;
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
-+ + oldskb->len - ip_hdrlen(oldskb)
-+ - (oth->doff<<2));
-+ tcph->seq = 0;
-+ } else {
-+ needs_ack = 0;
-+ tcph->seq = oth->ack_seq;
-+ tcph->ack_seq = 0;
-+ }
-+
-+ /* Reset flags */
-+ ((u_int8_t *)tcph)[13] = 0;
-+ tcph->rst = 1;
-+ tcph->ack = needs_ack;
-+ }
-+
-+
-+ tcph->window = 0;
-+ tcph->urg_ptr = 0;
-+
-+ /* Adjust TCP checksum */
-+ tcph->check = 0;
-+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-+ ip_hdr(nskb)->saddr,
-+ ip_hdr(nskb)->daddr,
-+ csum_partial((char *)tcph,
-+ sizeof(struct tcphdr), 0));
-+
-+ /* Set DF, id = 0 */
-+ ip_hdr(nskb)->frag_off = htons(IP_DF);
-+ ip_hdr(nskb)->id = 0;
-+
-+ addr_type = RTN_UNSPEC;
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ )
-+ addr_type = RTN_LOCAL;
-+
-+ if (ip_route_me_harder(&nskb, addr_type))
-+ goto free_nskb;
-+
-+ nskb->ip_summed = CHECKSUM_NONE;
-+
-+ /* Adjust IP TTL */
-+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
-+
-+ /* Adjust IP checksum */
-+ ip_hdr(nskb)->check = 0;
-+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
-+ ip_hdr(nskb)->ihl);
-+
-+ /* "Never happens" */
-+ if (nskb->len > dst_mtu(nskb->dst))
-+ goto free_nskb;
-+
-+ nf_ct_attach(nskb, oldskb);
-+
-+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
-+ dst_output);
-+ return;
-+
-+ free_nskb:
-+ kfree_skb(nskb);
-+}
-+
-+static unsigned int xt_delude_target(struct sk_buff **pskb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* WARNING: This code causes reentry within iptables.
-+ This means that the iptables jump stack is now crap. We
-+ must return an absolute verdict. --RR */
-+ send_reset(*pskb, hooknum);
-+ return NF_DROP;
-+}
-+
-+static bool xt_delude_check(const char *tablename, const void *e_void,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
-+ printk(KERN_WARNING PFX "DELUDE may not be used in chains "
-+ "other than INPUT and FORWARD\n");
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static struct xt_target xt_delude_info = {
-+ .name = "DELUDE",
-+ .target = xt_delude_target,
-+ .checkentry = xt_delude_check,
-+ .table = "filter",
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_delude_init(void)
-+{
-+ return xt_register_target(&xt_delude_info);
-+}
-+
-+static void __exit xt_delude_exit(void)
-+{
-+ xt_unregister_target(&xt_delude_info);
-+}
-+
-+module_init(xt_delude_init);
-+module_exit(xt_delude_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter DELUDE target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_DELUDE");
-Index: linux-2.6.23/net/netfilter/xt_portscan.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_portscan.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,272 @@
-+/*
-+ portscan match for netfilter
-+
-+ Written by Jan Engelhardt, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/moduleparam.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/tcp.h>
-+#include <linux/types.h>
-+#include <linux/version.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter/oot_conntrack.h>
-+#include <linux/netfilter/xt_portscan.h>
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+enum {
-+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
-+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
-+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
-+};
-+
-+/* Module parameters */
-+static unsigned int
-+ connmark_mask = ~0,
-+ packet_mask = ~0,
-+ mark_seen = 0x9,
-+ mark_synrcv = 0x1,
-+ mark_closed = 0x2,
-+ mark_synscan = 0x3,
-+ mark_estab1 = 0x4,
-+ mark_estab2 = 0x5,
-+ mark_cnscan = 0x6,
-+ mark_grscan = 0x7,
-+ mark_valid = 0x8;
-+
-+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
-+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
-+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
-+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
-+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
-+MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
-+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
-+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
-+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
-+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
-+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
-+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
-+
-+/* TCP flag functions */
-+static inline int tflg_ack4(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_ack6(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_fin(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
-+}
-+
-+static inline int tflg_rst(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
-+}
-+
-+static inline int tflg_rstack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_ACK | TCP_FLAG_RST);
-+}
-+
-+static inline int tflg_syn(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
-+}
-+
-+static inline int tflg_synack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_SYN | TCP_FLAG_ACK);
-+}
-+
-+/* portscan functions */
-+static inline int xt_portscan_stealth(const struct tcphdr *th)
-+{
-+ /*
-+ * "Connection refused" replies to our own probes must not be matched.
-+ */
-+ if(tflg_rstack(th))
-+ return 0;
-+
-+ if(tflg_rst(th) && printk_ratelimit()) {
-+ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
-+ return 0;
-+ }
-+
-+ /*
-+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
-+ * packets that are not associated with any connection -- this will
-+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
-+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
-+ */
-+ return !tflg_syn(th);
-+}
-+
-+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
-+ int loopback, const struct tcphdr *tcph, int payload_len)
-+{
-+ if(mark == mark_estab2) {
-+ /*
-+ * -m connmark --mark $ESTAB2
-+ */
-+ if(tflg_ack4(tcph) && payload_len == 0)
-+ return mark; /* keep mark */
-+ else if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_grscan;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_estab1) {
-+ /*
-+ * -m connmark --mark $ESTAB1
-+ */
-+ if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_cnscan;
-+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
-+ return mark_estab2;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_synrcv) {
-+ /*
-+ * -m connmark --mark $SYN
-+ */
-+ if(loopback && tflg_synack(tcph))
-+ return mark; /* keep mark */
-+ else if(loopback && tflg_rstack(tcph))
-+ return mark_closed;
-+ else if(tflg_ack6(tcph))
-+ return mark_estab1;
-+ else
-+ return mark_synscan;
-+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
-+ /*
-+ * -p tcp --syn --ctstate NEW
-+ */
-+ return mark_synrcv;
-+ }
-+ return mark;
-+}
-+
-+static bool xt_portscan_match(const struct sk_buff *skb,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo, int offset,
-+ unsigned int protoff, bool *hotdrop)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+ enum ip_conntrack_info ctstate;
-+ struct nf_conn *ctdata;
-+ const struct tcphdr *tcph;
-+ struct tcphdr tcph_buf;
-+
-+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
-+ if(tcph == NULL)
-+ return false;
-+
-+ /* Check for invalid packets: -m conntrack --ctstate INVALID */
-+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-+ if(info->match_stealth)
-+ return xt_portscan_stealth(tcph);
-+ /*
-+ * If @ctdata is NULL, we cannot match the other scan
-+ * types, return.
-+ */
-+ return false;
-+ }
-+
-+ /*
-+ * If -m portscan was previously applied to this packet, the rules we
-+ * simulate must not be run through again. And for speedup, do not call
-+ * it either when the connection is already VALID.
-+ */
-+ if((ctdata->mark & connmark_mask) == mark_valid ||
-+ (skb->nfmark & packet_mask) != mark_seen)
-+ {
-+ unsigned int n;
-+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
-+ in == &loopback_dev, tcph,
-+ skb->len - protoff - 4 * tcph->doff);
-+
-+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-+ ((struct sk_buff *)skb)->nfmark =
-+ (skb->nfmark & ~packet_mask) | mark_seen;
-+ }
-+
-+ return (info->match_syn && ctdata->mark == mark_synscan) ||
-+ (info->match_cn && ctdata->mark == mark_cnscan) ||
-+ (info->match_gr && ctdata->mark == mark_grscan);
-+}
-+
-+static bool xt_portscan_checkentry(const char *tablename, const void *entry,
-+ const struct xt_match *match, void *matchinfo,
-+#ifdef HAVE_MATCHINFOSIZE
-+ unsigned int matchinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+#ifdef HAVE_MATCHINFOSIZE
-+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
-+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
-+ matchinfosize,
-+ XT_ALIGN(sizeof(struct xt_portscan_info)));
-+ return false;
-+ }
-+#endif
-+ if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-+ (info->match_cn & ~1) || (info->match_gr & ~1)) {
-+ printk(KERN_WARNING PFX "Invalid flags\n");
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static struct xt_match xt_portscan = {
-+ .name = "portscan",
-+ .match = xt_portscan_match,
-+ .checkentry = xt_portscan_checkentry,
-+ .matchsize = sizeof(struct xt_portscan_info),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_portscan_init(void)
-+{
-+ return xt_register_match(&xt_portscan);
-+}
-+
-+static void __exit xt_portscan_exit(void)
-+{
-+ xt_unregister_match(&xt_portscan);
-+ return;
-+}
-+
-+module_init(xt_portscan_init);
-+module_exit(xt_portscan_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter portscan match module");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_portscan");
-Index: linux-2.6.23/drivers/char/random.c
-===================================================================
---- linux-2.6.23.orig/drivers/char/random.c 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/drivers/char/random.c 2007-10-10 13:52:59.000000000 +0800
-@@ -1564,6 +1564,8 @@
- return seq;
- }
-
-+EXPORT_SYMBOL(secure_tcp_sequence_number);
-+
- /* Generate secure starting point for ephemeral IPV4 transport port search */
- u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
- {
--- /dev/null
+Index: linux-2.6.23.16/include/linux/netfilter/oot_conntrack.h
+===================================================================
+--- /dev/null
++++ linux-2.6.23.16/include/linux/netfilter/oot_conntrack.h
+@@ -0,0 +1,5 @@
++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
++# include <linux/netfilter_ipv4/ip_conntrack.h>
++#else /* linux-2.6.20+ */
++# include <net/netfilter/nf_nat_rule.h>
++#endif
+Index: linux-2.6.23.16/include/linux/netfilter/oot_trans.h
+===================================================================
+--- /dev/null
++++ linux-2.6.23.16/include/linux/netfilter/oot_trans.h
+@@ -0,0 +1,14 @@
++/* Out of tree workarounds */
++#include <linux/version.h>
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
++# define HAVE_MATCHINFOSIZE 1
++# define HAVE_TARGUSERINFO 1
++# define HAVE_TARGINFOSIZE 1
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
++# define nfmark mark
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
++ tcp_v4_check((tcph_sz), (s), (d), (csp))
++#endif
+Index: linux-2.6.23.16/include/linux/netfilter/xt_CHAOS.h
+===================================================================
+--- /dev/null
++++ linux-2.6.23.16/include/linux/netfilter/xt_CHAOS.h
+@@ -0,0 +1,14 @@
++#ifndef _LINUX_NETFILTER_XT_CHAOS_H
++#define _LINUX_NETFILTER_XT_CHAOS_H 1
++
++enum xt_chaos_target_variant {
++ XTCHAOS_NORMAL,
++ XTCHAOS_TARPIT,
++ XTCHAOS_DELUDE,
++};
++
++struct xt_chaos_target_info {
++ uint8_t variant;
++};
++
++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
+Index: linux-2.6.23.16/include/linux/netfilter/xt_portscan.h
+===================================================================
+--- /dev/null
++++ linux-2.6.23.16/include/linux/netfilter/xt_portscan.h
+@@ -0,0 +1,8 @@
++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
++
++struct xt_portscan_match_info {
++ uint8_t match_stealth, match_syn, match_cn, match_gr;
++};
++
++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
+Index: linux-2.6.23.16/net/netfilter/find_match.c
+===================================================================
+--- /dev/null
++++ linux-2.6.23.16/net/netfilter/find_match.c
+@@ -0,0 +1,39 @@
++/*
++ xt_request_find_match
++ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++
++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
++ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License version 2 as
++ published by the Free Software Foundation.
++*/
++#include <linux/err.h>
++#include <linux/netfilter_arp.h>
++#include <linux/socket.h>
++#include <linux/netfilter/x_tables.h>
++
++/*
++ * Yeah this code is sub-optimal, but the function is missing in
++ * mainline so far. -jengelh
++ */
++static struct xt_match *xt_request_find_match_lo(int af, const char *name,
++ u8 revision)
++{
++ static const char *const xt_prefix[] = {
++ [AF_INET] = "ip",
++ [AF_INET6] = "ip6",
++ [NF_ARP] = "arp",
++ };
++ struct xt_match *match;
++
++ match = try_then_request_module(xt_find_match(af, name, revision),
++ "%st_%s", xt_prefix[af], name);
++ if (IS_ERR(match) || match == NULL)
++ return NULL;
++
++ return match;
++}
++
++/* In case it goes into mainline, let this out-of-tree package compile */
++#define xt_request_find_match xt_request_find_match_lo
+Index: linux-2.6.23.16/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.23.16.orig/net/netfilter/Kconfig
++++ linux-2.6.23.16/net/netfilter/Kconfig
+@@ -265,6 +265,14 @@ config NETFILTER_XTABLES
+
+ # alphabetically ordered list of targets
+
++config NETFILTER_XT_TARGET_CHAOS
++ tristate '"CHAOS" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `CHAOS' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_CLASSIFY
+ tristate '"CLASSIFY" target support'
+ depends on NETFILTER_XTABLES
+@@ -292,6 +300,14 @@ config NETFILTER_XT_TARGET_CONNMARK
+ <file:Documentation/kbuild/modules.txt>. The module will be called
+ ipt_CONNMARK.ko. If unsure, say `N'.
+
++config NETFILTER_XT_TARGET_DELUDE
++ tristate '"DELUDE" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `DELUDE' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_DSCP
+ tristate '"DSCP" target support'
+ depends on NETFILTER_XTABLES
+@@ -556,6 +572,14 @@ config NETFILTER_XT_MATCH_POLICY
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_PORTSCAN
++ tristate '"portscan" match support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a 'portscan' match support.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_MATCH_MULTIPORT
+ tristate "Multiple port match support"
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.23.16/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.23.16.orig/net/netfilter/Makefile
++++ linux-2.6.23.16/net/netfilter/Makefile
+@@ -49,6 +49,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE)
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
+
+ # matches
+ obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+@@ -78,3 +80,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS)
+ obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
+Index: linux-2.6.23.16/net/netfilter/xt_CHAOS.c
+===================================================================
+--- /dev/null
++++ linux-2.6.23.16/net/netfilter/xt_CHAOS.c
+@@ -0,0 +1,200 @@
++/*
++ * CHAOS target for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/icmp.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <linux/netfilter_ipv4/ipt_REJECT.h>
++#include <net/ip.h>
++#if defined(_LOCAL)
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
++# include <linux/netfilter/xt_CHAOS.h>
++# include "find_match.c"
++#else
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++/* Module parameters */
++static unsigned int reject_percentage = ~0U * .01;
++static unsigned int delude_percentage = ~0U * .0101;
++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
++
++/* References to other matches/targets */
++static struct xt_match *xm_tcp;
++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
++
++static int have_delude, have_tarpit;
++
++/* Static data for other matches/targets */
++static const struct ipt_reject_info reject_params = {
++ .with = ICMP_HOST_UNREACH,
++};
++
++static const struct xt_tcp tcp_params = {
++ .spts = {0, ~0},
++ .dpts = {0, ~0},
++};
++
++/* CHAOS functions */
++static void xt_chaos_total(const struct xt_chaos_target_info *info,
++ struct sk_buff **pskb, const struct net_device *in,
++ const struct net_device *out, unsigned int hooknum)
++{
++ const struct iphdr *iph = ip_hdr(*pskb);
++ const int protoff = 4 * iph->ihl;
++ const int offset = ntohs(iph->frag_off) & IP_OFFSET;
++ const struct xt_target *destiny;
++ bool hotdrop = false, ret;
++
++ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
++ offset, protoff, &hotdrop);
++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
++ return;
++
++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
++ destiny->target(pskb, in, out, hooknum, destiny, NULL);
++ return;
++}
++
++static unsigned int chaos_tg(struct sk_buff **pskb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /*
++ * Equivalent to:
++ * -A chaos -m statistic --mode random --probability \
++ * $reject_percentage -j REJECT --reject-with host-unreach;
++ * -A chaos -p tcp -m statistic --mode random --probability \
++ * $delude_percentage -j DELUDE;
++ * -A chaos -j DROP;
++ */
++ const struct xt_chaos_target_info *info = targinfo;
++ const struct iphdr *iph = ip_hdr(*pskb);
++
++ if ((unsigned int)net_random() <= reject_percentage)
++ return xt_reject->target(pskb, in, out, hooknum, target,
++ &reject_params);
++
++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
++ if (iph->protocol == IPPROTO_TCP &&
++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
++ xt_chaos_total(info, pskb, in, out, hooknum);
++
++ return NF_DROP;
++}
++
++static bool chaos_tg_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo, unsigned int hook_mask)
++{
++ const struct xt_chaos_target_info *info = targinfo;
++
++ if (info->variant == XTCHAOS_DELUDE && !have_delude) {
++ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
++ "DELUDE module not available\n");
++ return false;
++ }
++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
++ "TARPIT module not available\n");
++ return false;
++ }
++
++ return true;
++}
++
++static struct xt_target chaos_tg_reg = {
++ .name = "CHAOS",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
++ (1 << NF_IP_LOCAL_OUT),
++ .checkentry = chaos_tg_check,
++ .target = chaos_tg,
++ .targetsize = sizeof(struct xt_chaos_target_info),
++ .me = THIS_MODULE,
++};
++
++static int __init chaos_tg_init(void)
++{
++ int ret = -EINVAL;
++
++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
++ if (xm_tcp == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"tcp\" match\n");
++ return -EINVAL;
++ }
++
++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
++ if (xt_reject == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"REJECT\" target\n");
++ goto out2;
++ }
++
++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
++ have_tarpit = xt_tarpit != NULL;
++ if (!have_tarpit)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"TARPIT\" target\n");
++
++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
++ have_delude = xt_delude != NULL;
++ if (!have_delude)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"DELUDE\" target\n");
++
++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
++ printk(KERN_WARNING PFX "xt_register_target returned "
++ "error %d\n", ret);
++ goto out3;
++ }
++
++ return 0;
++
++ out3:
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ module_put(xt_reject->me);
++ out2:
++ module_put(xm_tcp->me);
++ return ret;
++}
++
++static void __exit chaos_tg_exit(void)
++{
++ xt_unregister_target(&chaos_tg_reg);
++ module_put(xm_tcp->me);
++ module_put(xt_reject->me);
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ return;
++}
++
++module_init(chaos_tg_init);
++module_exit(chaos_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_CHAOS");
+Index: linux-2.6.23.16/net/netfilter/xt_DELUDE.c
+===================================================================
+--- /dev/null
++++ linux-2.6.23.16/net/netfilter/xt_DELUDE.c
+@@ -0,0 +1,197 @@
++/*
++ * DELUDE target
++ * Copyright © CC Computer Consultants GmbH, 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++ * (C) 1999-2001 Paul `Rusty' Russell
++ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++ *
++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <linux/tcp.h>
++#include <linux/netfilter/x_tables.h>
++#ifdef CONFIG_BRIDGE_NETFILTER
++# include <linux/netfilter_bridge.h>
++#endif
++#include <net/tcp.h>
++#define PFX KBUILD_MODNAME ": "
++
++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
++{
++ struct tcphdr _otcph, *oth, *tcph;
++ unsigned int addr_type;
++ struct sk_buff *nskb;
++ u_int16_t tmp_port;
++ u_int32_t tmp_addr;
++ struct iphdr *niph;
++ bool needs_ack;
++
++ /* IP header checks: fragment. */
++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
++ return;
++
++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
++ sizeof(_otcph), &_otcph);
++ if (oth == NULL)
++ return;
++
++ /* No RST for RST. */
++ if (oth->rst)
++ return;
++
++ /* Check checksum */
++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
++ return;
++
++ /* We need a linear, writeable skb. We also need to expand
++ headroom in case hh_len of incoming interface < hh_len of
++ outgoing interface */
++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
++ GFP_ATOMIC);
++ if (!nskb)
++ return;
++
++ /* This packet will not be the same as the other: clear nf fields */
++ nf_reset(nskb);
++ nskb->mark = 0;
++ skb_init_secmark(nskb);
++
++ skb_shinfo(nskb)->gso_size = 0;
++ skb_shinfo(nskb)->gso_segs = 0;
++ skb_shinfo(nskb)->gso_type = 0;
++
++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
++
++ /* Swap source and dest */
++ niph = ip_hdr(nskb);
++ tmp_addr = niph->saddr;
++ niph->saddr = niph->daddr;
++ niph->daddr = tmp_addr;
++ tmp_port = tcph->source;
++ tcph->source = tcph->dest;
++ tcph->dest = tmp_port;
++
++ /* Truncate to length (no data) */
++ tcph->doff = sizeof(struct tcphdr) / 4;
++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
++ niph->tot_len = htons(nskb->len);
++
++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++ /* DELUDE essential part */
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
++ oldskb->len - ip_hdrlen(oldskb) -
++ (oth->doff << 2));
++ tcph->seq = false;
++ tcph->ack = true;
++ } else {
++ if (!tcph->ack) {
++ needs_ack = true;
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
++ oth->fin + oldskb->len -
++ ip_hdrlen(oldskb) - (oth->doff<<2));
++ tcph->seq = false;
++ } else {
++ needs_ack = false;
++ tcph->seq = oth->ack_seq;
++ tcph->ack_seq = false;
++ }
++
++ /* Reset flags */
++ ((u_int8_t *)tcph)[13] = 0;
++ tcph->rst = true;
++ tcph->ack = needs_ack;
++ }
++
++ tcph->window = 0;
++ tcph->urg_ptr = 0;
++
++ /* Adjust TCP checksum */
++ tcph->check = 0;
++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
++ niph->daddr, csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
++
++ /* Set DF, id = 0 */
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
++
++ addr_type = RTN_UNSPEC;
++#ifdef CONFIG_BRIDGE_NETFILTER
++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
++ nskb->nf_bridge->mask & BRNF_BRIDGED))
++#else
++ if (hook != NF_IP_FORWARD)
++#endif
++ addr_type = RTN_LOCAL;
++
++ if (ip_route_me_harder(&nskb, addr_type))
++ goto free_nskb;
++
++ nskb->ip_summed = CHECKSUM_NONE;
++
++ /* Adjust IP TTL */
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++
++ /* Adjust IP checksum */
++ niph->check = 0;
++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
++
++ /* "Never happens" */
++ if (nskb->len > dst_mtu(nskb->dst))
++ goto free_nskb;
++
++ nf_ct_attach(nskb, oldskb);
++
++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
++ dst_output);
++ return;
++
++ free_nskb:
++ kfree_skb(nskb);
++}
++
++static unsigned int delude_tg(struct sk_buff **pskb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /* WARNING: This code causes reentry within iptables.
++ This means that the iptables jump stack is now crap. We
++ must return an absolute verdict. --RR */
++ delude_send_reset(*pskb, hooknum);
++ return NF_DROP;
++}
++
++static struct xt_target delude_tg_reg = {
++ .name = "DELUDE",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
++ .target = delude_tg,
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init delude_tg_init(void)
++{
++ return xt_register_target(&delude_tg_reg);
++}
++
++static void __exit delude_tg_exit(void)
++{
++ xt_unregister_target(&delude_tg_reg);
++}
++
++module_init(delude_tg_init);
++module_exit(delude_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_DELUDE");
+Index: linux-2.6.23.16/net/netfilter/xt_portscan.c
+===================================================================
+--- /dev/null
++++ linux-2.6.23.16/net/netfilter/xt_portscan.c
+@@ -0,0 +1,269 @@
++/*
++ * portscan match for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/moduleparam.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/tcp.h>
++#include <linux/types.h>
++#include <linux/version.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <net/netfilter/nf_nat_rule.h>
++#if defined(_LOCAL)
++# include "xt_portscan.h"
++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
++# include <linux/netfilter/xt_portscan.h>
++#else
++# include "xt_portscan.h"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++enum {
++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
++};
++
++/* Module parameters */
++static unsigned int
++ connmark_mask = ~0,
++ packet_mask = ~0,
++ mark_seen = 0x9,
++ mark_synrcv = 0x1,
++ mark_closed = 0x2,
++ mark_synscan = 0x3,
++ mark_estab1 = 0x4,
++ mark_estab2 = 0x5,
++ mark_cnscan = 0x6,
++ mark_grscan = 0x7,
++ mark_valid = 0x8;
++
++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
++module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
++module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
++module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
++MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
++
++/* TCP flag functions */
++static inline bool tflg_ack4(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_ack6(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_fin(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
++}
++
++static inline bool tflg_rst(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
++}
++
++static inline bool tflg_rstack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_ACK | TCP_FLAG_RST);
++}
++
++static inline bool tflg_syn(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
++}
++
++static inline bool tflg_synack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_SYN | TCP_FLAG_ACK);
++}
++
++/* portscan functions */
++static inline bool portscan_mt_stealth(const struct tcphdr *th)
++{
++ /*
++ * "Connection refused" replies to our own probes must not be matched.
++ */
++ if (tflg_rstack(th))
++ return false;
++
++ if (tflg_rst(th) && printk_ratelimit()) {
++ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
++ return false;
++ }
++
++ /*
++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
++ * packets that are not associated with any connection -- this will
++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
++ */
++ return !tflg_syn(th);
++}
++
++static inline unsigned int portscan_mt_full(int mark,
++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
++ unsigned int payload_len)
++{
++ if (mark == mark_estab2) {
++ /*
++ * -m connmark --mark $ESTAB2
++ */
++ if (tflg_ack4(tcph) && payload_len == 0)
++ return mark; /* keep mark */
++ else if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_grscan;
++ else
++ return mark_valid;
++ } else if (mark == mark_estab1) {
++ /*
++ * -m connmark --mark $ESTAB1
++ */
++ if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_cnscan;
++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
++ return mark_estab2;
++ else
++ return mark_valid;
++ } else if (mark == mark_synrcv) {
++ /*
++ * -m connmark --mark $SYN
++ */
++ if (loopback && tflg_synack(tcph))
++ return mark; /* keep mark */
++ else if (loopback && tflg_rstack(tcph))
++ return mark_closed;
++ else if (tflg_ack6(tcph))
++ return mark_estab1;
++ else
++ return mark_synscan;
++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
++ /*
++ * -p tcp --syn --ctstate NEW
++ */
++ return mark_synrcv;
++ }
++ return mark;
++}
++
++static bool portscan_mt(const struct sk_buff *skb,
++ const struct net_device *in, const struct net_device *out,
++ const struct xt_match *match, const void *matchinfo, int offset,
++ unsigned int protoff, bool *hotdrop)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++ enum ip_conntrack_info ctstate;
++ const struct tcphdr *tcph;
++ struct nf_conn *ctdata;
++ struct tcphdr tcph_buf;
++
++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
++ if (tcph == NULL)
++ return false;
++
++ /* Check for invalid packets: -m conntrack --ctstate INVALID */
++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
++ if (info->match_stealth)
++ return portscan_mt_stealth(tcph);
++ /*
++ * If @ctdata is NULL, we cannot match the other scan
++ * types, return.
++ */
++ return false;
++ }
++
++ /*
++ * If -m portscan was previously applied to this packet, the rules we
++ * simulate must not be run through again. And for speedup, do not call
++ * it either when the connection is already VALID.
++ */
++ if ((ctdata->mark & connmark_mask) == mark_valid ||
++ (skb->mark & packet_mask) != mark_seen) {
++ unsigned int n;
++
++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
++ in == &loopback_dev, tcph,
++ skb->len - protoff - 4 * tcph->doff);
++
++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
++ ((struct sk_buff *)skb)->mark =
++ (skb->mark & ~packet_mask) ^ mark_seen;
++ }
++
++ return (info->match_syn && ctdata->mark == mark_synscan) ||
++ (info->match_cn && ctdata->mark == mark_cnscan) ||
++ (info->match_gr && ctdata->mark == mark_grscan);
++}
++
++static bool portscan_mt_check(const char *tablename, const void *entry,
++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++
++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
++ (info->match_cn & ~1) || (info->match_gr & ~1)) {
++ printk(KERN_WARNING PFX "Invalid flags\n");
++ return false;
++ }
++ return true;
++}
++
++static struct xt_match portscan_mt_reg __read_mostly = {
++ .name = "portscan",
++ .family = AF_INET,
++ .match = portscan_mt,
++ .checkentry = portscan_mt_check,
++ .matchsize = sizeof(struct xt_portscan_match_info),
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init portscan_mt_init(void)
++{
++ return xt_register_match(&portscan_mt_reg);
++}
++
++static void __exit portscan_mt_exit(void)
++{
++ xt_unregister_match(&portscan_mt_reg);
++ return;
++}
++
++module_init(portscan_mt_init);
++module_exit(portscan_mt_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"portscan\" match");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_portscan");
+Index: linux-2.6.23.16/drivers/char/random.c
+===================================================================
+--- linux-2.6.23.16.orig/drivers/char/random.c
++++ linux-2.6.23.16/drivers/char/random.c
+@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32
+ return seq;
+ }
+
++EXPORT_SYMBOL(secure_tcp_sequence_number);
++
+ /* Generate secure starting point for ephemeral IPV4 transport port search */
+ u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+ {
-Index: linux-2.6.23/net/netfilter/Kconfig
+Index: linux-2.6.23.16/net/netfilter/Kconfig
===================================================================
---- linux-2.6.23.orig/net/netfilter/Kconfig
-+++ linux-2.6.23/net/netfilter/Kconfig
+--- linux-2.6.23.16.orig/net/netfilter/Kconfig
++++ linux-2.6.23.16/net/netfilter/Kconfig
@@ -401,6 +401,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_TARGET_TCPMSS
tristate '"TCPMSS" target support'
depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
-Index: linux-2.6.23/net/netfilter/Makefile
+Index: linux-2.6.23.16/net/netfilter/Makefile
===================================================================
---- linux-2.6.23.orig/net/netfilter/Makefile
-+++ linux-2.6.23/net/netfilter/Makefile
-@@ -49,6 +49,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG)
+--- linux-2.6.23.16.orig/net/netfilter/Makefile
++++ linux-2.6.23.16/net/netfilter/Makefile
+@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG)
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
-
-Index: linux-2.6.23/net/netfilter/xt_TARPIT.c
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
+Index: linux-2.6.23.16/net/netfilter/xt_TARPIT.c
===================================================================
--- /dev/null
-+++ linux-2.6.23/net/netfilter/xt_TARPIT.c
++++ linux-2.6.23.16/net/netfilter/xt_TARPIT.c
@@ -0,0 +1,280 @@
+/*
+ * Kernel module to capture and hold incoming TCP connections using
--- /dev/null
+Index: linux-2.6.24/include/linux/netfilter/xt_layer7.h
+===================================================================
+--- linux-2.6.24.orig/include/linux/netfilter/xt_layer7.h
++++ linux-2.6.24/include/linux/netfilter/xt_layer7.h
+@@ -8,6 +8,7 @@ struct xt_layer7_info {
+ char protocol[MAX_PROTOCOL_LEN];
+ char pattern[MAX_PATTERN_LEN];
+ u_int8_t invert;
++ u_int8_t pkt;
+ };
+
+ #endif /* _XT_LAYER7_H */
+Index: linux-2.6.24/net/netfilter/xt_layer7.c
+===================================================================
+--- linux-2.6.24.orig/net/netfilter/xt_layer7.c
++++ linux-2.6.24/net/netfilter/xt_layer7.c
+@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
+ }
+
+ /* add the new app data to the conntrack. Return number of bytes added. */
+-static int add_data(struct nf_conn * master_conntrack,
+- char * app_data, int appdatalen)
++static int add_datastr(char *target, int offset, char *app_data, int len)
+ {
+ int length = 0, i;
+- int oldlength = master_conntrack->layer7.app_data_len;
+-
+- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
+- clear on whether the race condition exists or whether this really
+- fixes it. I might just be being dense... Anyway, if it's not really
+- a fix, all it does is waste a very small amount of time. */
+- if(!master_conntrack->layer7.app_data) return 0;
++
++ if (!target) return 0;
+
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
+ do case insensitivity). Add it to the end of the current data. */
+- for(i = 0; i < maxdatalen-oldlength-1 &&
+- i < appdatalen; i++) {
++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
+ if(app_data[i] != '\0') {
+ /* the kernel version of tolower mungs 'upper ascii' */
+- master_conntrack->layer7.app_data[length+oldlength] =
++ target[length+offset] =
+ isascii(app_data[i])?
+ tolower(app_data[i]) : app_data[i];
+ length++;
+ }
+ }
++ target[length+offset] = '\0';
++
++ return length;
++}
+
+- master_conntrack->layer7.app_data[length+oldlength] = '\0';
+- master_conntrack->layer7.app_data_len = length + oldlength;
++/* add the new app data to the conntrack. Return number of bytes added. */
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
++{
++ int length;
+
++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
++ master_conntrack->layer7.app_data_len += length;
+ return length;
+ }
+
+@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
+ const struct xt_layer7_info * info = matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack;
+- unsigned char * app_data;
++ unsigned char *app_data, *tmp_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
+
+@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
+ master_conntrack = master_ct(master_conntrack);
+
+ /* if we've classified it or seen too many packets */
+- if(TOTAL_PACKETS > num_packets ||
+- master_conntrack->layer7.app_proto) {
++ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
++ master_conntrack->layer7.app_proto)) {
+
+ pattern_result = match_no_append(conntrack, master_conntrack,
+ ctinfo, master_ctinfo, info);
+@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
+
++ if (info->pkt) {
++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!tmp_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
++ return info->invert;
++ }
++
++ tmp_data[0] = '\0';
++ add_datastr(tmp_data, 0, app_data, appdatalen);
++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++
++ kfree(tmp_data);
++ tmp_data = NULL;
++ spin_unlock_bh(&l7_lock);
++
++ return (pattern_result ^ info->invert);
++ }
++
+ /* On the first packet of a connection, allocate space for app data */
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ !master_conntrack->layer7.app_data){
+++ /dev/null
-Index: linux-2.6.23/include/linux/netfilter/oot_conntrack.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/oot_conntrack.h 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,5 @@
-+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-+# include <linux/netfilter_ipv4/ip_conntrack.h>
-+#else /* linux-2.6.20+ */
-+# include <net/netfilter/nf_nat_rule.h>
-+#endif
-Index: linux-2.6.23/include/linux/netfilter/oot_trans.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/oot_trans.h 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,14 @@
-+/* Out of tree workarounds */
-+#include <linux/version.h>
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-+# define HAVE_MATCHINFOSIZE 1
-+# define HAVE_TARGUSERINFO 1
-+# define HAVE_TARGINFOSIZE 1
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-+# define nfmark mark
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
-+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
-+ tcp_v4_check((tcph_sz), (s), (d), (csp))
-+#endif
-Index: linux-2.6.23/include/linux/netfilter/xt_CHAOS.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/xt_CHAOS.h 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,14 @@
-+#ifndef _LINUX_XT_CHAOS_H
-+#define _LINUX_XT_CHAOS_H 1
-+
-+enum xt_chaos_variant {
-+ XTCHAOS_NORMAL,
-+ XTCHAOS_TARPIT,
-+ XTCHAOS_DELUDE,
-+};
-+
-+struct xt_chaos_info {
-+ enum xt_chaos_variant variant;
-+};
-+
-+#endif /* _LINUX_XT_CHAOS_H */
-Index: linux-2.6.23/include/linux/netfilter/xt_portscan.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/xt_portscan.h 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,8 @@
-+#ifndef _LINUX_XT_PORTSCAN_H
-+#define _LINUX_XT_PORTSCAN_H 1
-+
-+struct xt_portscan_info {
-+ unsigned int match_stealth, match_syn, match_cn, match_gr;
-+};
-+
-+#endif /* _LINUX_XT_PORTSCAN_H */
-Index: linux-2.6.23/net/netfilter/find_match.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/find_match.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,39 @@
-+/*
-+ xt_request_find_match
-+ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+
-+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
-+ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/err.h>
-+#include <linux/netfilter_arp.h>
-+#include <linux/socket.h>
-+#include <linux/netfilter/x_tables.h>
-+
-+/*
-+ * Yeah this code is sub-optimal, but the function is missing in
-+ * mainline so far. -jengelh
-+ */
-+static struct xt_match *xt_request_find_match_lo(int af, const char *name,
-+ u8 revision)
-+{
-+ static const char *const xt_prefix[] = {
-+ [AF_INET] = "ip",
-+ [AF_INET6] = "ip6",
-+ [NF_ARP] = "arp",
-+ };
-+ struct xt_match *match;
-+
-+ match = try_then_request_module(xt_find_match(af, name, revision),
-+ "%st_%s", xt_prefix[af], name);
-+ if(IS_ERR(match) || match == NULL)
-+ return NULL;
-+
-+ return match;
-+}
-+
-+/* In case it goes into mainline, let this out-of-tree package compile */
-+#define xt_request_find_match xt_request_find_match_lo
-Index: linux-2.6.23/net/netfilter/Kconfig
-===================================================================
---- linux-2.6.23.orig/net/netfilter/Kconfig 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/net/netfilter/Kconfig 2007-10-10 13:53:04.000000000 +0800
-@@ -265,6 +265,14 @@
-
- # alphabetically ordered list of targets
-
-+config NETFILTER_XT_TARGET_CHAOS
-+ tristate '"CHAOS" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `CHAOS' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_CLASSIFY
- tristate '"CLASSIFY" target support'
- depends on NETFILTER_XTABLES
-@@ -292,6 +300,14 @@
- <file:Documentation/kbuild/modules.txt>. The module will be called
- ipt_CONNMARK.ko. If unsure, say `N'.
-
-+config NETFILTER_XT_TARGET_DELUDE
-+ tristate '"DELUDE" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `DELUDE' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_DSCP
- tristate '"DSCP" target support'
- depends on NETFILTER_XTABLES
-@@ -556,6 +572,14 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config NETFILTER_XT_MATCH_PORTSCAN
-+ tristate '"portscan" match support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a 'portscan' match support.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_MATCH_MULTIPORT
- tristate "Multiple port match support"
- depends on NETFILTER_XTABLES
-Index: linux-2.6.23/net/netfilter/Makefile
-===================================================================
---- linux-2.6.23.orig/net/netfilter/Makefile 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/net/netfilter/Makefile 2007-10-10 13:52:59.000000000 +0800
-@@ -49,6 +49,8 @@
- obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
-+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
-+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
-
- # matches
- obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
-@@ -79,3 +81,4 @@
- obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
-+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
-Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_CHAOS.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,205 @@
-+/*
-+ CHAOS target for netfilter
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/icmp.h>
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter_ipv4/ipt_REJECT.h>
-+#include <net/ip.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+#include "find_match.c"
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+/* Module parameters */
-+static unsigned int reject_percentage = ~0U * .01;
-+static unsigned int delude_percentage = ~0U * .0101;
-+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
-+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
-+
-+/* References to other matches/targets */
-+static struct xt_match *xm_tcp;
-+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
-+
-+static int have_delude, have_tarpit;
-+
-+/* Static data for other matches/targets */
-+static const struct ipt_reject_info reject_params = {
-+ .with = ICMP_HOST_UNREACH,
-+};
-+
-+static const struct xt_tcp tcp_params = {
-+ .spts = {0, ~0},
-+ .dpts = {0, ~0},
-+};
-+
-+/* CHAOS functions */
-+static void xt_chaos_total(const struct xt_chaos_info *info,
-+ struct sk_buff *skb, const struct net_device *in,
-+ const struct net_device *out, unsigned int hooknum)
-+{
-+ const int protoff = ip_hdrlen(skb);
-+ const int offset = ntohs(ip_hdr(skb)->frag_off) & IP_OFFSET;
-+ const struct xt_target *destiny;
-+ bool hotdrop = false;
-+ int ret;
-+
-+ ret = xm_tcp->match(skb, in, out, xm_tcp, &tcp_params,
-+ offset, protoff, &hotdrop);
-+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
-+ return;
-+
-+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-+#ifdef HAVE_TARGUSERINFO
-+ destiny->target(skb, in, out, hooknum, destiny, NULL, NULL);
-+#else
-+ destiny->target(skb, in, out, hooknum, destiny, NULL);
-+#endif
-+ return;
-+}
-+
-+static unsigned int xt_chaos_target(struct sk_buff *skb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* Equivalent to:
-+ * -A chaos -m statistic --mode random --probability \
-+ * $reject_percentage -j REJECT --reject-with host-unreach;
-+ * -A chaos -p tcp -m statistic --mode random --probability \
-+ * $delude_percentage -j DELUDE;
-+ * -A chaos -j DROP;
-+ */
-+ const struct xt_chaos_info *info = targinfo;
-+
-+ if((unsigned int)net_random() <= reject_percentage)
-+#ifdef HAVE_TARGUSERINFO
-+ return xt_reject->target(skb, in, out, hooknum, target,
-+ &reject_params, userinfo);
-+#else
-+ return xt_reject->target(skb, in, out, hooknum, target,
-+ &reject_params);
-+#endif
-+
-+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
-+ if(ip_hdr(skb)->protocol == IPPROTO_TCP &&
-+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
-+ xt_chaos_total(info, skb, in, out, hooknum);
-+
-+ return NF_DROP;
-+}
-+
-+static bool xt_chaos_checkentry(const char *tablename, const void *entry,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_chaos_info *info = targinfo;
-+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
-+ "DELUDE module not available\n");
-+ return false;
-+ }
-+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
-+ "TARPIT module not available\n");
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static struct xt_target xt_chaos_info = {
-+ .name = "CHAOS",
-+ .target = xt_chaos_target,
-+ .checkentry = xt_chaos_checkentry,
-+ .table = "filter",
-+ .targetsize = sizeof(struct xt_chaos_info),
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_chaos_init(void)
-+{
-+ int ret = -EINVAL;
-+
-+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
-+ if(xm_tcp == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"tcp\" match\n");
-+ return -EINVAL;
-+ }
-+
-+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
-+ if(xt_reject == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"REJECT\" target\n");
-+ goto out2;
-+ }
-+
-+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
-+ have_tarpit = xt_tarpit != NULL;
-+ if(!have_tarpit)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"TARPIT\" target\n");
-+
-+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
-+ have_delude = xt_delude != NULL;
-+ if(!have_delude)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"DELUDE\" target\n");
-+
-+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
-+ printk(KERN_WARNING PFX "xt_register_target returned "
-+ "error %d\n", ret);
-+ goto out3;
-+ }
-+
-+ return 0;
-+
-+ out3:
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ module_put(xt_reject->me);
-+ out2:
-+ module_put(xm_tcp->me);
-+ return ret;
-+}
-+
-+static void __exit xt_chaos_exit(void)
-+{
-+ xt_unregister_target(&xt_chaos_info);
-+ module_put(xm_tcp->me);
-+ module_put(xt_reject->me);
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ return;
-+}
-+
-+module_init(xt_chaos_init);
-+module_exit(xt_chaos_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter CHAOS target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_CHAOS");
-Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_DELUDE.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,288 @@
-+/*
-+ DELUDE target
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
-+
-+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+ (C) 1999-2001 Paul `Rusty' Russell
-+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
-+
-+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/ip.h>
-+#include <linux/random.h>
-+#include <linux/tcp.h>
-+#include <linux/udp.h>
-+#include <linux/icmp.h>
-+#include <net/icmp.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/route.h>
-+#include <net/dst.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+# include <linux/netfilter_bridge.h>
-+#endif
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+static inline struct rtable *route_reverse(struct sk_buff *skb,
-+ struct tcphdr *tcph, int hook)
-+{
-+ struct iphdr *iph = ip_hdr(skb);
-+ struct dst_entry *odst;
-+ struct flowi fl = {};
-+ struct rtable *rt;
-+
-+ /* We don't require ip forwarding to be enabled to be able to
-+ * send a RST reply for bridged traffic. */
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ ) {
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ if (hook == NF_IP_LOCAL_IN)
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+ } else {
-+ /* non-local src, find valid iif to satisfy
-+ * rp-filter when calling ip_route_input. */
-+ fl.nl_u.ip4_u.daddr = iph->daddr;
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+
-+ odst = skb->dst;
-+ if (ip_route_input(skb, iph->saddr, iph->daddr,
-+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+ dst_release(&rt->u.dst);
-+ rt = (struct rtable *)skb->dst;
-+ skb->dst = odst;
-+
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+ }
-+
-+ if (rt->u.dst.error) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+
-+ fl.proto = IPPROTO_TCP;
-+ fl.fl_ip_sport = tcph->dest;
-+ fl.fl_ip_dport = tcph->source;
-+
-+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-+
-+ return rt;
-+}
-+
-+static void send_reset(struct sk_buff *oldskb, int hook)
-+{
-+ struct sk_buff *nskb;
-+ struct iphdr *iph = ip_hdr(oldskb);
-+ struct tcphdr _otcph, *oth, *tcph;
-+ __be16 tmp_port;
-+ __be32 tmp_addr;
-+ int needs_ack;
-+ unsigned int addr_type;
-+
-+ /* IP header checks: fragment. */
-+ if (iph->frag_off & htons(IP_OFFSET))
-+ return;
-+
-+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
-+ sizeof(_otcph), &_otcph);
-+ if (oth == NULL)
-+ return;
-+
-+ /* No RST for RST. */
-+ if (oth->rst)
-+ return;
-+
-+ /* Check checksum */
-+ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
-+ return;
-+
-+ /* We need a linear, writeable skb. We also need to expand
-+ headroom in case hh_len of incoming interface < hh_len of
-+ outgoing interface */
-+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
-+ GFP_ATOMIC);
-+ if (!nskb)
-+ return;
-+
-+ /* This packet will not be the same as the other: clear nf fields */
-+ nf_reset(nskb);
-+ nskb->nfmark = 0;
-+ skb_init_secmark(nskb);
-+
-+ skb_shinfo(nskb)->gso_size = 0;
-+ skb_shinfo(nskb)->gso_segs = 0;
-+ skb_shinfo(nskb)->gso_type = 0;
-+
-+ tcph = tcp_hdr(nskb);
-+
-+ /* Swap source and dest */
-+ tmp_addr = ip_hdr(nskb)->saddr;
-+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
-+ ip_hdr(nskb)->daddr = tmp_addr;
-+ tmp_port = tcph->source;
-+ tcph->source = tcph->dest;
-+ tcph->dest = tmp_port;
-+
-+ /* Truncate to length (no data) */
-+ tcph->doff = sizeof(struct tcphdr)/4;
-+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
-+ ip_hdr(nskb)->tot_len = htons(nskb->len);
-+
-+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
-+ /* DELUDE essential part */
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
-+ oldskb->len - ip_hdrlen(oldskb) -
-+ (oth->doff << 2));
-+ tcph->seq = htonl(secure_tcp_sequence_number(
-+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
-+ tcph->source, tcph->dest));
-+ tcph->ack = 1;
-+ } else {
-+ if(!tcph->ack) {
-+ needs_ack = 1;
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
-+ + oldskb->len - ip_hdrlen(oldskb)
-+ - (oth->doff<<2));
-+ tcph->seq = 0;
-+ } else {
-+ needs_ack = 0;
-+ tcph->seq = oth->ack_seq;
-+ tcph->ack_seq = 0;
-+ }
-+
-+ /* Reset flags */
-+ ((u_int8_t *)tcph)[13] = 0;
-+ tcph->rst = 1;
-+ tcph->ack = needs_ack;
-+ }
-+
-+
-+ tcph->window = 0;
-+ tcph->urg_ptr = 0;
-+
-+ /* Adjust TCP checksum */
-+ tcph->check = 0;
-+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-+ ip_hdr(nskb)->saddr,
-+ ip_hdr(nskb)->daddr,
-+ csum_partial((char *)tcph,
-+ sizeof(struct tcphdr), 0));
-+
-+ /* Set DF, id = 0 */
-+ ip_hdr(nskb)->frag_off = htons(IP_DF);
-+ ip_hdr(nskb)->id = 0;
-+
-+ addr_type = RTN_UNSPEC;
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ )
-+ addr_type = RTN_LOCAL;
-+
-+ if (ip_route_me_harder(nskb, addr_type))
-+ goto free_nskb;
-+
-+ nskb->ip_summed = CHECKSUM_NONE;
-+
-+ /* Adjust IP TTL */
-+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
-+
-+ /* Adjust IP checksum */
-+ ip_hdr(nskb)->check = 0;
-+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
-+ ip_hdr(nskb)->ihl);
-+
-+ /* "Never happens" */
-+ if (nskb->len > dst_mtu(nskb->dst))
-+ goto free_nskb;
-+
-+ nf_ct_attach(nskb, oldskb);
-+
-+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
-+ dst_output);
-+ return;
-+
-+ free_nskb:
-+ kfree_skb(nskb);
-+}
-+
-+static unsigned int xt_delude_target(struct sk_buff *skb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* WARNING: This code causes reentry within iptables.
-+ This means that the iptables jump stack is now crap. We
-+ must return an absolute verdict. --RR */
-+ send_reset(skb, hooknum);
-+ return NF_DROP;
-+}
-+
-+static bool xt_delude_check(const char *tablename, const void *e_void,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
-+ printk(KERN_WARNING PFX "DELUDE may not be used in chains "
-+ "other than INPUT and FORWARD\n");
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static struct xt_target xt_delude_info = {
-+ .name = "DELUDE",
-+ .target = xt_delude_target,
-+ .checkentry = xt_delude_check,
-+ .table = "filter",
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_delude_init(void)
-+{
-+ return xt_register_target(&xt_delude_info);
-+}
-+
-+static void __exit xt_delude_exit(void)
-+{
-+ xt_unregister_target(&xt_delude_info);
-+}
-+
-+module_init(xt_delude_init);
-+module_exit(xt_delude_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter DELUDE target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_DELUDE");
-Index: linux-2.6.23/net/netfilter/xt_portscan.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_portscan.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,272 @@
-+/*
-+ portscan match for netfilter
-+
-+ Written by Jan Engelhardt, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/moduleparam.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/tcp.h>
-+#include <linux/types.h>
-+#include <linux/version.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter/oot_conntrack.h>
-+#include <linux/netfilter/xt_portscan.h>
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+enum {
-+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
-+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
-+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
-+};
-+
-+/* Module parameters */
-+static unsigned int
-+ connmark_mask = ~0,
-+ packet_mask = ~0,
-+ mark_seen = 0x9,
-+ mark_synrcv = 0x1,
-+ mark_closed = 0x2,
-+ mark_synscan = 0x3,
-+ mark_estab1 = 0x4,
-+ mark_estab2 = 0x5,
-+ mark_cnscan = 0x6,
-+ mark_grscan = 0x7,
-+ mark_valid = 0x8;
-+
-+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
-+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
-+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
-+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
-+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
-+MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
-+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
-+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
-+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
-+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
-+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
-+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
-+
-+/* TCP flag functions */
-+static inline int tflg_ack4(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_ack6(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_fin(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
-+}
-+
-+static inline int tflg_rst(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
-+}
-+
-+static inline int tflg_rstack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_ACK | TCP_FLAG_RST);
-+}
-+
-+static inline int tflg_syn(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
-+}
-+
-+static inline int tflg_synack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_SYN | TCP_FLAG_ACK);
-+}
-+
-+/* portscan functions */
-+static inline int xt_portscan_stealth(const struct tcphdr *th)
-+{
-+ /*
-+ * "Connection refused" replies to our own probes must not be matched.
-+ */
-+ if(tflg_rstack(th))
-+ return 0;
-+
-+ if(tflg_rst(th) && printk_ratelimit()) {
-+ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
-+ return 0;
-+ }
-+
-+ /*
-+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
-+ * packets that are not associated with any connection -- this will
-+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
-+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
-+ */
-+ return !tflg_syn(th);
-+}
-+
-+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
-+ int loopback, const struct tcphdr *tcph, int payload_len)
-+{
-+ if(mark == mark_estab2) {
-+ /*
-+ * -m connmark --mark $ESTAB2
-+ */
-+ if(tflg_ack4(tcph) && payload_len == 0)
-+ return mark; /* keep mark */
-+ else if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_grscan;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_estab1) {
-+ /*
-+ * -m connmark --mark $ESTAB1
-+ */
-+ if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_cnscan;
-+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
-+ return mark_estab2;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_synrcv) {
-+ /*
-+ * -m connmark --mark $SYN
-+ */
-+ if(loopback && tflg_synack(tcph))
-+ return mark; /* keep mark */
-+ else if(loopback && tflg_rstack(tcph))
-+ return mark_closed;
-+ else if(tflg_ack6(tcph))
-+ return mark_estab1;
-+ else
-+ return mark_synscan;
-+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
-+ /*
-+ * -p tcp --syn --ctstate NEW
-+ */
-+ return mark_synrcv;
-+ }
-+ return mark;
-+}
-+
-+static bool xt_portscan_match(const struct sk_buff *skb,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo, int offset,
-+ unsigned int protoff, bool *hotdrop)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+ enum ip_conntrack_info ctstate;
-+ struct nf_conn *ctdata;
-+ const struct tcphdr *tcph;
-+ struct tcphdr tcph_buf;
-+
-+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
-+ if(tcph == NULL)
-+ return false;
-+
-+ /* Check for invalid packets: -m conntrack --ctstate INVALID */
-+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-+ if(info->match_stealth)
-+ return xt_portscan_stealth(tcph);
-+ /*
-+ * If @ctdata is NULL, we cannot match the other scan
-+ * types, return.
-+ */
-+ return false;
-+ }
-+
-+ /*
-+ * If -m portscan was previously applied to this packet, the rules we
-+ * simulate must not be run through again. And for speedup, do not call
-+ * it either when the connection is already VALID.
-+ */
-+ if((ctdata->mark & connmark_mask) == mark_valid ||
-+ (skb->nfmark & packet_mask) != mark_seen)
-+ {
-+ unsigned int n;
-+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
-+ (in->flags && IFF_LOOPBACK) == IFF_LOOPBACK, tcph,
-+ skb->len - protoff - 4 * tcph->doff);
-+
-+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-+ ((struct sk_buff *)skb)->nfmark =
-+ (skb->nfmark & ~packet_mask) | mark_seen;
-+ }
-+
-+ return (info->match_syn && ctdata->mark == mark_synscan) ||
-+ (info->match_cn && ctdata->mark == mark_cnscan) ||
-+ (info->match_gr && ctdata->mark == mark_grscan);
-+}
-+
-+static bool xt_portscan_checkentry(const char *tablename, const void *entry,
-+ const struct xt_match *match, void *matchinfo,
-+#ifdef HAVE_MATCHINFOSIZE
-+ unsigned int matchinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+#ifdef HAVE_MATCHINFOSIZE
-+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
-+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
-+ matchinfosize,
-+ XT_ALIGN(sizeof(struct xt_portscan_info)));
-+ return false;
-+ }
-+#endif
-+ if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-+ (info->match_cn & ~1) || (info->match_gr & ~1)) {
-+ printk(KERN_WARNING PFX "Invalid flags\n");
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static struct xt_match xt_portscan = {
-+ .name = "portscan",
-+ .match = xt_portscan_match,
-+ .checkentry = xt_portscan_checkentry,
-+ .matchsize = sizeof(struct xt_portscan_info),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_portscan_init(void)
-+{
-+ return xt_register_match(&xt_portscan);
-+}
-+
-+static void __exit xt_portscan_exit(void)
-+{
-+ xt_unregister_match(&xt_portscan);
-+ return;
-+}
-+
-+module_init(xt_portscan_init);
-+module_exit(xt_portscan_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter portscan match module");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_portscan");
-Index: linux-2.6.23/drivers/char/random.c
-===================================================================
---- linux-2.6.23.orig/drivers/char/random.c 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/drivers/char/random.c 2007-10-10 13:52:59.000000000 +0800
-@@ -1564,6 +1564,8 @@
- return seq;
- }
-
-+EXPORT_SYMBOL(secure_tcp_sequence_number);
-+
- /* Generate secure starting point for ephemeral IPV4 transport port search */
- u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
- {
--- /dev/null
+Index: linux-2.6.24/include/linux/netfilter/oot_conntrack.h
+===================================================================
+--- /dev/null
++++ linux-2.6.24/include/linux/netfilter/oot_conntrack.h
+@@ -0,0 +1,5 @@
++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
++# include <linux/netfilter_ipv4/ip_conntrack.h>
++#else /* linux-2.6.20+ */
++# include <net/netfilter/nf_nat_rule.h>
++#endif
+Index: linux-2.6.24/include/linux/netfilter/oot_trans.h
+===================================================================
+--- /dev/null
++++ linux-2.6.24/include/linux/netfilter/oot_trans.h
+@@ -0,0 +1,14 @@
++/* Out of tree workarounds */
++#include <linux/version.h>
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
++# define HAVE_MATCHINFOSIZE 1
++# define HAVE_TARGUSERINFO 1
++# define HAVE_TARGINFOSIZE 1
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
++# define nfmark mark
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
++ tcp_v4_check((tcph_sz), (s), (d), (csp))
++#endif
+Index: linux-2.6.24/include/linux/netfilter/xt_CHAOS.h
+===================================================================
+--- /dev/null
++++ linux-2.6.24/include/linux/netfilter/xt_CHAOS.h
+@@ -0,0 +1,14 @@
++#ifndef _LINUX_NETFILTER_XT_CHAOS_H
++#define _LINUX_NETFILTER_XT_CHAOS_H 1
++
++enum xt_chaos_target_variant {
++ XTCHAOS_NORMAL,
++ XTCHAOS_TARPIT,
++ XTCHAOS_DELUDE,
++};
++
++struct xt_chaos_target_info {
++ uint8_t variant;
++};
++
++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
+Index: linux-2.6.24/include/linux/netfilter/xt_portscan.h
+===================================================================
+--- /dev/null
++++ linux-2.6.24/include/linux/netfilter/xt_portscan.h
+@@ -0,0 +1,8 @@
++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
++
++struct xt_portscan_match_info {
++ uint8_t match_stealth, match_syn, match_cn, match_gr;
++};
++
++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
+Index: linux-2.6.24/net/netfilter/find_match.c
+===================================================================
+--- /dev/null
++++ linux-2.6.24/net/netfilter/find_match.c
+@@ -0,0 +1,39 @@
++/*
++ xt_request_find_match
++ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++
++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
++ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License version 2 as
++ published by the Free Software Foundation.
++*/
++#include <linux/err.h>
++#include <linux/netfilter_arp.h>
++#include <linux/socket.h>
++#include <linux/netfilter/x_tables.h>
++
++/*
++ * Yeah this code is sub-optimal, but the function is missing in
++ * mainline so far. -jengelh
++ */
++static struct xt_match *xt_request_find_match_lo(int af, const char *name,
++ u8 revision)
++{
++ static const char *const xt_prefix[] = {
++ [AF_INET] = "ip",
++ [AF_INET6] = "ip6",
++ [NF_ARP] = "arp",
++ };
++ struct xt_match *match;
++
++ match = try_then_request_module(xt_find_match(af, name, revision),
++ "%st_%s", xt_prefix[af], name);
++ if (IS_ERR(match) || match == NULL)
++ return NULL;
++
++ return match;
++}
++
++/* In case it goes into mainline, let this out-of-tree package compile */
++#define xt_request_find_match xt_request_find_match_lo
+Index: linux-2.6.24/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.24.orig/net/netfilter/Kconfig
++++ linux-2.6.24/net/netfilter/Kconfig
+@@ -265,6 +265,14 @@ config NETFILTER_XTABLES
+
+ # alphabetically ordered list of targets
+
++config NETFILTER_XT_TARGET_CHAOS
++ tristate '"CHAOS" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `CHAOS' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_CLASSIFY
+ tristate '"CLASSIFY" target support'
+ depends on NETFILTER_XTABLES
+@@ -292,6 +300,14 @@ config NETFILTER_XT_TARGET_CONNMARK
+ <file:Documentation/kbuild/modules.txt>. The module will be called
+ ipt_CONNMARK.ko. If unsure, say `N'.
+
++config NETFILTER_XT_TARGET_DELUDE
++ tristate '"DELUDE" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `DELUDE' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_DSCP
+ tristate '"DSCP" target support'
+ depends on NETFILTER_XTABLES
+@@ -556,6 +572,14 @@ config NETFILTER_XT_MATCH_POLICY
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_PORTSCAN
++ tristate '"portscan" match support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a 'portscan' match support.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_MATCH_MULTIPORT
+ tristate "Multiple port match support"
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.24/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.24.orig/net/netfilter/Makefile
++++ linux-2.6.24/net/netfilter/Makefile
+@@ -49,6 +49,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
+
+ # matches
+ obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+@@ -79,3 +81,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING)
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
+Index: linux-2.6.24/net/netfilter/xt_CHAOS.c
+===================================================================
+--- /dev/null
++++ linux-2.6.24/net/netfilter/xt_CHAOS.c
+@@ -0,0 +1,200 @@
++/*
++ * CHAOS target for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/icmp.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <linux/netfilter_ipv4/ipt_REJECT.h>
++#include <net/ip.h>
++#if defined(_LOCAL)
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
++# include <linux/netfilter/xt_CHAOS.h>
++# include "find_match.c"
++#else
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++/* Module parameters */
++static unsigned int reject_percentage = ~0U * .01;
++static unsigned int delude_percentage = ~0U * .0101;
++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
++
++/* References to other matches/targets */
++static struct xt_match *xm_tcp;
++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
++
++static int have_delude, have_tarpit;
++
++/* Static data for other matches/targets */
++static const struct ipt_reject_info reject_params = {
++ .with = ICMP_HOST_UNREACH,
++};
++
++static const struct xt_tcp tcp_params = {
++ .spts = {0, ~0},
++ .dpts = {0, ~0},
++};
++
++/* CHAOS functions */
++static void xt_chaos_total(const struct xt_chaos_target_info *info,
++ struct sk_buff *skb, const struct net_device *in,
++ const struct net_device *out, unsigned int hooknum)
++{
++ const struct iphdr *iph = ip_hdr(skb);
++ const int protoff = 4 * iph->ihl;
++ const int offset = ntohs(iph->frag_off) & IP_OFFSET;
++ const struct xt_target *destiny;
++ bool hotdrop = false, ret;
++
++ ret = xm_tcp->match(skb, in, out, xm_tcp, &tcp_params,
++ offset, protoff, &hotdrop);
++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
++ return;
++
++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
++ destiny->target(skb, in, out, hooknum, destiny, NULL);
++ return;
++}
++
++static unsigned int chaos_tg(struct sk_buff *skb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /*
++ * Equivalent to:
++ * -A chaos -m statistic --mode random --probability \
++ * $reject_percentage -j REJECT --reject-with host-unreach;
++ * -A chaos -p tcp -m statistic --mode random --probability \
++ * $delude_percentage -j DELUDE;
++ * -A chaos -j DROP;
++ */
++ const struct xt_chaos_target_info *info = targinfo;
++ const struct iphdr *iph = ip_hdr(skb);
++
++ if ((unsigned int)net_random() <= reject_percentage)
++ return xt_reject->target(skb, in, out, hooknum, target,
++ &reject_params);
++
++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
++ if (iph->protocol == IPPROTO_TCP &&
++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
++ xt_chaos_total(info, skb, in, out, hooknum);
++
++ return NF_DROP;
++}
++
++static bool chaos_tg_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo, unsigned int hook_mask)
++{
++ const struct xt_chaos_target_info *info = targinfo;
++
++ if (info->variant == XTCHAOS_DELUDE && !have_delude) {
++ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
++ "DELUDE module not available\n");
++ return false;
++ }
++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
++ "TARPIT module not available\n");
++ return false;
++ }
++
++ return true;
++}
++
++static struct xt_target chaos_tg_reg = {
++ .name = "CHAOS",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
++ (1 << NF_IP_LOCAL_OUT),
++ .checkentry = chaos_tg_check,
++ .target = chaos_tg,
++ .targetsize = sizeof(struct xt_chaos_target_info),
++ .me = THIS_MODULE,
++};
++
++static int __init chaos_tg_init(void)
++{
++ int ret = -EINVAL;
++
++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
++ if (xm_tcp == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"tcp\" match\n");
++ return -EINVAL;
++ }
++
++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
++ if (xt_reject == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"REJECT\" target\n");
++ goto out2;
++ }
++
++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
++ have_tarpit = xt_tarpit != NULL;
++ if (!have_tarpit)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"TARPIT\" target\n");
++
++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
++ have_delude = xt_delude != NULL;
++ if (!have_delude)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"DELUDE\" target\n");
++
++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
++ printk(KERN_WARNING PFX "xt_register_target returned "
++ "error %d\n", ret);
++ goto out3;
++ }
++
++ return 0;
++
++ out3:
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ module_put(xt_reject->me);
++ out2:
++ module_put(xm_tcp->me);
++ return ret;
++}
++
++static void __exit chaos_tg_exit(void)
++{
++ xt_unregister_target(&chaos_tg_reg);
++ module_put(xm_tcp->me);
++ module_put(xt_reject->me);
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ return;
++}
++
++module_init(chaos_tg_init);
++module_exit(chaos_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_CHAOS");
+Index: linux-2.6.24/net/netfilter/xt_DELUDE.c
+===================================================================
+--- /dev/null
++++ linux-2.6.24/net/netfilter/xt_DELUDE.c
+@@ -0,0 +1,197 @@
++/*
++ * DELUDE target
++ * Copyright © CC Computer Consultants GmbH, 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++ * (C) 1999-2001 Paul `Rusty' Russell
++ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++ *
++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <linux/tcp.h>
++#include <linux/netfilter/x_tables.h>
++#ifdef CONFIG_BRIDGE_NETFILTER
++# include <linux/netfilter_bridge.h>
++#endif
++#include <net/tcp.h>
++#define PFX KBUILD_MODNAME ": "
++
++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
++{
++ struct tcphdr _otcph, *oth, *tcph;
++ unsigned int addr_type;
++ struct sk_buff *nskb;
++ u_int16_t tmp_port;
++ u_int32_t tmp_addr;
++ struct iphdr *niph;
++ bool needs_ack;
++
++ /* IP header checks: fragment. */
++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
++ return;
++
++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
++ sizeof(_otcph), &_otcph);
++ if (oth == NULL)
++ return;
++
++ /* No RST for RST. */
++ if (oth->rst)
++ return;
++
++ /* Check checksum */
++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
++ return;
++
++ /* We need a linear, writeable skb. We also need to expand
++ headroom in case hh_len of incoming interface < hh_len of
++ outgoing interface */
++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
++ GFP_ATOMIC);
++ if (!nskb)
++ return;
++
++ /* This packet will not be the same as the other: clear nf fields */
++ nf_reset(nskb);
++ nskb->mark = 0;
++ skb_init_secmark(nskb);
++
++ skb_shinfo(nskb)->gso_size = 0;
++ skb_shinfo(nskb)->gso_segs = 0;
++ skb_shinfo(nskb)->gso_type = 0;
++
++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
++
++ /* Swap source and dest */
++ niph = ip_hdr(nskb);
++ tmp_addr = niph->saddr;
++ niph->saddr = niph->daddr;
++ niph->daddr = tmp_addr;
++ tmp_port = tcph->source;
++ tcph->source = tcph->dest;
++ tcph->dest = tmp_port;
++
++ /* Truncate to length (no data) */
++ tcph->doff = sizeof(struct tcphdr) / 4;
++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
++ niph->tot_len = htons(nskb->len);
++
++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++ /* DELUDE essential part */
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
++ oldskb->len - ip_hdrlen(oldskb) -
++ (oth->doff << 2));
++ tcph->seq = false;
++ tcph->ack = true;
++ } else {
++ if (!tcph->ack) {
++ needs_ack = true;
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
++ oth->fin + oldskb->len -
++ ip_hdrlen(oldskb) - (oth->doff<<2));
++ tcph->seq = false;
++ } else {
++ needs_ack = false;
++ tcph->seq = oth->ack_seq;
++ tcph->ack_seq = false;
++ }
++
++ /* Reset flags */
++ ((u_int8_t *)tcph)[13] = 0;
++ tcph->rst = true;
++ tcph->ack = needs_ack;
++ }
++
++ tcph->window = 0;
++ tcph->urg_ptr = 0;
++
++ /* Adjust TCP checksum */
++ tcph->check = 0;
++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
++ niph->daddr, csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
++
++ /* Set DF, id = 0 */
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
++
++ addr_type = RTN_UNSPEC;
++#ifdef CONFIG_BRIDGE_NETFILTER
++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
++ nskb->nf_bridge->mask & BRNF_BRIDGED))
++#else
++ if (hook != NF_IP_FORWARD)
++#endif
++ addr_type = RTN_LOCAL;
++
++ if (ip_route_me_harder(nskb, addr_type))
++ goto free_nskb;
++
++ nskb->ip_summed = CHECKSUM_NONE;
++
++ /* Adjust IP TTL */
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++
++ /* Adjust IP checksum */
++ niph->check = 0;
++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
++
++ /* "Never happens" */
++ if (nskb->len > dst_mtu(nskb->dst))
++ goto free_nskb;
++
++ nf_ct_attach(nskb, oldskb);
++
++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
++ dst_output);
++ return;
++
++ free_nskb:
++ kfree_skb(nskb);
++}
++
++static unsigned int delude_tg(struct sk_buff *skb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /* WARNING: This code causes reentry within iptables.
++ This means that the iptables jump stack is now crap. We
++ must return an absolute verdict. --RR */
++ delude_send_reset(skb, hooknum);
++ return NF_DROP;
++}
++
++static struct xt_target delude_tg_reg = {
++ .name = "DELUDE",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
++ .target = delude_tg,
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init delude_tg_init(void)
++{
++ return xt_register_target(&delude_tg_reg);
++}
++
++static void __exit delude_tg_exit(void)
++{
++ xt_unregister_target(&delude_tg_reg);
++}
++
++module_init(delude_tg_init);
++module_exit(delude_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_DELUDE");
+Index: linux-2.6.24/net/netfilter/xt_portscan.c
+===================================================================
+--- /dev/null
++++ linux-2.6.24/net/netfilter/xt_portscan.c
+@@ -0,0 +1,269 @@
++/*
++ * portscan match for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/moduleparam.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/tcp.h>
++#include <linux/types.h>
++#include <linux/version.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <net/netfilter/nf_nat_rule.h>
++#if defined(_LOCAL)
++# include "xt_portscan.h"
++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
++# include <linux/netfilter/xt_portscan.h>
++#else
++# include "xt_portscan.h"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++enum {
++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
++};
++
++/* Module parameters */
++static unsigned int
++ connmark_mask = ~0,
++ packet_mask = ~0,
++ mark_seen = 0x9,
++ mark_synrcv = 0x1,
++ mark_closed = 0x2,
++ mark_synscan = 0x3,
++ mark_estab1 = 0x4,
++ mark_estab2 = 0x5,
++ mark_cnscan = 0x6,
++ mark_grscan = 0x7,
++ mark_valid = 0x8;
++
++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
++module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
++module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
++module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
++MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
++
++/* TCP flag functions */
++static inline bool tflg_ack4(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_ack6(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_fin(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
++}
++
++static inline bool tflg_rst(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
++}
++
++static inline bool tflg_rstack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_ACK | TCP_FLAG_RST);
++}
++
++static inline bool tflg_syn(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
++}
++
++static inline bool tflg_synack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_SYN | TCP_FLAG_ACK);
++}
++
++/* portscan functions */
++static inline bool portscan_mt_stealth(const struct tcphdr *th)
++{
++ /*
++ * "Connection refused" replies to our own probes must not be matched.
++ */
++ if (tflg_rstack(th))
++ return false;
++
++ if (tflg_rst(th) && printk_ratelimit()) {
++ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
++ return false;
++ }
++
++ /*
++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
++ * packets that are not associated with any connection -- this will
++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
++ */
++ return !tflg_syn(th);
++}
++
++static inline unsigned int portscan_mt_full(int mark,
++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
++ unsigned int payload_len)
++{
++ if (mark == mark_estab2) {
++ /*
++ * -m connmark --mark $ESTAB2
++ */
++ if (tflg_ack4(tcph) && payload_len == 0)
++ return mark; /* keep mark */
++ else if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_grscan;
++ else
++ return mark_valid;
++ } else if (mark == mark_estab1) {
++ /*
++ * -m connmark --mark $ESTAB1
++ */
++ if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_cnscan;
++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
++ return mark_estab2;
++ else
++ return mark_valid;
++ } else if (mark == mark_synrcv) {
++ /*
++ * -m connmark --mark $SYN
++ */
++ if (loopback && tflg_synack(tcph))
++ return mark; /* keep mark */
++ else if (loopback && tflg_rstack(tcph))
++ return mark_closed;
++ else if (tflg_ack6(tcph))
++ return mark_estab1;
++ else
++ return mark_synscan;
++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
++ /*
++ * -p tcp --syn --ctstate NEW
++ */
++ return mark_synrcv;
++ }
++ return mark;
++}
++
++static bool portscan_mt(const struct sk_buff *skb,
++ const struct net_device *in, const struct net_device *out,
++ const struct xt_match *match, const void *matchinfo, int offset,
++ unsigned int protoff, bool *hotdrop)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++ enum ip_conntrack_info ctstate;
++ const struct tcphdr *tcph;
++ struct nf_conn *ctdata;
++ struct tcphdr tcph_buf;
++
++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
++ if (tcph == NULL)
++ return false;
++
++ /* Check for invalid packets: -m conntrack --ctstate INVALID */
++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
++ if (info->match_stealth)
++ return portscan_mt_stealth(tcph);
++ /*
++ * If @ctdata is NULL, we cannot match the other scan
++ * types, return.
++ */
++ return false;
++ }
++
++ /*
++ * If -m portscan was previously applied to this packet, the rules we
++ * simulate must not be run through again. And for speedup, do not call
++ * it either when the connection is already VALID.
++ */
++ if ((ctdata->mark & connmark_mask) == mark_valid ||
++ (skb->mark & packet_mask) != mark_seen) {
++ unsigned int n;
++
++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
++ (in->flags & IFF_LOOPBACK) == IFF_LOOPBACK, tcph,
++ skb->len - protoff - 4 * tcph->doff);
++
++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
++ ((struct sk_buff *)skb)->mark =
++ (skb->mark & ~packet_mask) ^ mark_seen;
++ }
++
++ return (info->match_syn && ctdata->mark == mark_synscan) ||
++ (info->match_cn && ctdata->mark == mark_cnscan) ||
++ (info->match_gr && ctdata->mark == mark_grscan);
++}
++
++static bool portscan_mt_check(const char *tablename, const void *entry,
++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++
++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
++ (info->match_cn & ~1) || (info->match_gr & ~1)) {
++ printk(KERN_WARNING PFX "Invalid flags\n");
++ return false;
++ }
++ return true;
++}
++
++static struct xt_match portscan_mt_reg __read_mostly = {
++ .name = "portscan",
++ .family = AF_INET,
++ .match = portscan_mt,
++ .checkentry = portscan_mt_check,
++ .matchsize = sizeof(struct xt_portscan_match_info),
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init portscan_mt_init(void)
++{
++ return xt_register_match(&portscan_mt_reg);
++}
++
++static void __exit portscan_mt_exit(void)
++{
++ xt_unregister_match(&portscan_mt_reg);
++ return;
++}
++
++module_init(portscan_mt_init);
++module_exit(portscan_mt_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"portscan\" match");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_portscan");
+Index: linux-2.6.24/drivers/char/random.c
+===================================================================
+--- linux-2.6.24.orig/drivers/char/random.c
++++ linux-2.6.24/drivers/char/random.c
+@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32
+ return seq;
+ }
+
++EXPORT_SYMBOL(secure_tcp_sequence_number);
++
+ /* Generate secure starting point for ephemeral IPV4 transport port search */
+ u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+ {
--- /dev/null
+Index: linux-2.6.21.7/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Kconfig
++++ linux-2.6.21.7/net/netfilter/Kconfig
+@@ -640,6 +640,27 @@ config NETFILTER_XT_MATCH_STATE
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_LAYER7
++ tristate '"layer7" match support'
++ depends on NETFILTER_XTABLES
++ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
++ depends on NF_CT_ACCT
++ help
++ Say Y if you want to be able to classify connections (and their
++ packets) based on regular expression matching of their application
++ layer data. This is one way to classify applications such as
++ peer-to-peer filesharing systems that do not always use the same
++ port.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
++config NETFILTER_XT_MATCH_LAYER7_DEBUG
++ bool 'Layer 7 debugging output'
++ depends on NETFILTER_XT_MATCH_LAYER7
++ help
++ Say Y to get lots of debugging output.
++
++
+ config NETFILTER_XT_MATCH_STATISTIC
+ tristate '"statistic" match support'
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.21.7/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Makefile
++++ linux-2.6.21.7/net/netfilter/Makefile
+@@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) +
+ obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+Index: linux-2.6.21.7/net/netfilter/xt_layer7.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_layer7.c
+@@ -0,0 +1,634 @@
++/*
++ Kernel module to match application layer (OSI layer 7) data in connections.
++
++ http://l7-filter.sf.net
++
++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++
++ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>,
++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait,
++ Ethan Sommer, Justin Levandoski.
++*/
++
++#include <linux/spinlock.h>
++#include <linux/version.h>
++#include <net/ip.h>
++#include <net/tcp.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter.h>
++#include <net/netfilter/nf_conntrack.h>
++#include <net/netfilter/nf_conntrack_core.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_layer7.h>
++#include <linux/ctype.h>
++#include <linux/proc_fs.h>
++
++#include "regexp/regexp.c"
++
++MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
++MODULE_DESCRIPTION("iptables application layer match module");
++MODULE_ALIAS("ipt_layer7");
++MODULE_VERSION("2.17");
++
++static int maxdatalen = 2048; // this is the default
++module_param(maxdatalen, int, 0444);
++MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
++ #define DPRINTK(format,args...) printk(format,##args)
++#else
++ #define DPRINTK(format,args...)
++#endif
++
++#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
++ master_conntrack->counters[IP_CT_DIR_REPLY].packets
++
++/* Number of packets whose data we look at.
++This can be modified through /proc/net/layer7_numpackets */
++static int num_packets = 10;
++
++static struct pattern_cache {
++ char * regex_string;
++ regexp * pattern;
++ struct pattern_cache * next;
++} * first_pattern_cache = NULL;
++
++DEFINE_SPINLOCK(l7_lock);
++
++#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++/* Converts an unfriendly string into a friendly one by
++replacing unprintables with periods and all whitespace with " ". */
++static char * friendly_print(unsigned char * s)
++{
++ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
++ int i;
++
++ if(!f) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "friendly_print, bailing.\n");
++ return NULL;
++ }
++
++ for(i = 0; i < strlen(s); i++){
++ if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
++ else if(isspace(s[i])) f[i] = ' ';
++ else f[i] = '.';
++ }
++ f[i] = '\0';
++ return f;
++}
++
++static char dec2hex(int i)
++{
++ switch (i) {
++ case 0 ... 9:
++ return (i + '0');
++ break;
++ case 10 ... 15:
++ return (i - 10 + 'a');
++ break;
++ default:
++ if (net_ratelimit())
++ printk("layer7: Problem in dec2hex\n");
++ return '\0';
++ }
++}
++
++static char * hex_print(unsigned char * s)
++{
++ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
++ int i;
++
++ if(!g) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in hex_print, "
++ "bailing.\n");
++ return NULL;
++ }
++
++ for(i = 0; i < strlen(s); i++) {
++ g[i*3 ] = dec2hex(s[i]/16);
++ g[i*3 + 1] = dec2hex(s[i]%16);
++ g[i*3 + 2] = ' ';
++ }
++ g[i*3] = '\0';
++
++ return g;
++}
++#endif // DEBUG
++
++/* Use instead of regcomp. As we expect to be seeing the same regexps over and
++over again, it make sense to cache the results. */
++static regexp * compile_and_cache(const char * regex_string,
++ const char * protocol)
++{
++ struct pattern_cache * node = first_pattern_cache;
++ struct pattern_cache * last_pattern_cache = first_pattern_cache;
++ struct pattern_cache * tmp;
++ unsigned int len;
++
++ while (node != NULL) {
++ if (!strcmp(node->regex_string, regex_string))
++ return node->pattern;
++
++ last_pattern_cache = node;/* points at the last non-NULL node */
++ node = node->next;
++ }
++
++ /* If we reach the end of the list, then we have not yet cached
++ the pattern for this regex. Let's do that now.
++ Be paranoid about running out of memory to avoid list corruption. */
++ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
++
++ if(!tmp) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
++ return NULL;
++ }
++
++ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
++ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
++ tmp->next = NULL;
++
++ if(!tmp->regex_string || !tmp->pattern) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
++ kfree(tmp->regex_string);
++ kfree(tmp->pattern);
++ kfree(tmp);
++ return NULL;
++ }
++
++ /* Ok. The new node is all ready now. */
++ node = tmp;
++
++ if(first_pattern_cache == NULL) /* list is empty */
++ first_pattern_cache = node; /* make node the beginning */
++ else
++ last_pattern_cache->next = node; /* attach node to the end */
++
++ /* copy the string and compile the regex */
++ len = strlen(regex_string);
++ DPRINTK("About to compile this: \"%s\"\n", regex_string);
++ node->pattern = regcomp((char *)regex_string, &len);
++ if ( !node->pattern ) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: Error compiling regexp "
++ "\"%s\" (%s)\n",
++ regex_string, protocol);
++ /* pattern is now cached as NULL, so we won't try again. */
++ }
++
++ strcpy(node->regex_string, regex_string);
++ return node->pattern;
++}
++
++static int can_handle(const struct sk_buff *skb)
++{
++ if(!ip_hdr(skb)) /* not IP */
++ return 0;
++ if(ip_hdr(skb)->protocol != IPPROTO_TCP &&
++ ip_hdr(skb)->protocol != IPPROTO_UDP &&
++ ip_hdr(skb)->protocol != IPPROTO_ICMP)
++ return 0;
++ return 1;
++}
++
++/* Returns offset the into the skb->data that the application data starts */
++static int app_data_offset(const struct sk_buff *skb)
++{
++ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
++ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
++ int ip_hl = 4*ip_hdr(skb)->ihl;
++
++ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
++ /* 12 == offset into TCP header for the header length field.
++ Can't get this with skb->h.th->doff because the tcphdr
++ struct doesn't get set when routing (this is confirmed to be
++ true in Netfilter as well as QoS.) */
++ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
++
++ return ip_hl + tcp_hl;
++ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) {
++ return ip_hl + 8; /* UDP header is always 8 bytes */
++ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) {
++ return ip_hl + 8; /* ICMP header is 8 bytes */
++ } else {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: tried to handle unknown "
++ "protocol!\n");
++ return ip_hl + 8; /* something reasonable */
++ }
++}
++
++/* handles whether there's a match when we aren't appending data anymore */
++static int match_no_append(struct nf_conn * conntrack,
++ struct nf_conn * master_conntrack,
++ enum ip_conntrack_info ctinfo,
++ enum ip_conntrack_info master_ctinfo,
++ const struct xt_layer7_info * info)
++{
++ /* If we're in here, throw the app data away */
++ if(master_conntrack->layer7.app_data != NULL) {
++
++ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++ if(!master_conntrack->layer7.app_proto) {
++ char * f =
++ friendly_print(master_conntrack->layer7.app_data);
++ char * g =
++ hex_print(master_conntrack->layer7.app_data);
++ DPRINTK("\nl7-filter gave up after %d bytes "
++ "(%d packets):\n%s\n",
++ strlen(f), TOTAL_PACKETS, f);
++ kfree(f);
++ DPRINTK("In hex: %s\n", g);
++ kfree(g);
++ }
++ #endif
++
++ kfree(master_conntrack->layer7.app_data);
++ master_conntrack->layer7.app_data = NULL; /* don't free again */
++ }
++
++ if(master_conntrack->layer7.app_proto){
++ /* Here child connections set their .app_proto (for /proc) */
++ if(!conntrack->layer7.app_proto) {
++ conntrack->layer7.app_proto =
++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1,
++ GFP_ATOMIC);
++ if(!conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory "
++ "in match_no_append, "
++ "bailing.\n");
++ return 1;
++ }
++ strcpy(conntrack->layer7.app_proto,
++ master_conntrack->layer7.app_proto);
++ }
++
++ return (!strcmp(master_conntrack->layer7.app_proto,
++ info->protocol));
++ }
++ else {
++ /* If not classified, set to "unknown" to distinguish from
++ connections that are still being tested. */
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen("unknown")+1, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match_no_append, bailing.\n");
++ return 1;
++ }
++ strcpy(master_conntrack->layer7.app_proto, "unknown");
++ return 0;
++ }
++}
++
++/* add the new app data to the conntrack. Return number of bytes added. */
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
++{
++ int length = 0, i;
++ int oldlength = master_conntrack->layer7.app_data_len;
++
++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not
++ clear on whether the race condition exists or whether this really
++ fixes it. I might just be being dense... Anyway, if it's not really
++ a fix, all it does is waste a very small amount of time. */
++ if(!master_conntrack->layer7.app_data) return 0;
++
++ /* Strip nulls. Make everything lower case (our regex lib doesn't
++ do case insensitivity). Add it to the end of the current data. */
++ for(i = 0; i < maxdatalen-oldlength-1 &&
++ i < appdatalen; i++) {
++ if(app_data[i] != '\0') {
++ /* the kernel version of tolower mungs 'upper ascii' */
++ master_conntrack->layer7.app_data[length+oldlength] =
++ isascii(app_data[i])?
++ tolower(app_data[i]) : app_data[i];
++ length++;
++ }
++ }
++
++ master_conntrack->layer7.app_data[length+oldlength] = '\0';
++ master_conntrack->layer7.app_data_len = length + oldlength;
++
++ return length;
++}
++
++/* taken from drivers/video/modedb.c */
++static int my_atoi(const char *s)
++{
++ int val = 0;
++
++ for (;; s++) {
++ switch (*s) {
++ case '0'...'9':
++ val = 10*val+(*s-'0');
++ break;
++ default:
++ return val;
++ }
++ }
++}
++
++/* write out num_packets to userland. */
++static int layer7_read_proc(char* page, char ** start, off_t off, int count,
++ int* eof, void * data)
++{
++ if(num_packets > 99 && net_ratelimit())
++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
++
++ page[0] = num_packets/10 + '0';
++ page[1] = num_packets%10 + '0';
++ page[2] = '\n';
++ page[3] = '\0';
++
++ *eof=1;
++
++ return 3;
++}
++
++/* Read in num_packets from userland */
++static int layer7_write_proc(struct file* file, const char* buffer,
++ unsigned long count, void *data)
++{
++ char * foo = kmalloc(count, GFP_ATOMIC);
++
++ if(!foo){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory, bailing. "
++ "num_packets unchanged.\n");
++ return count;
++ }
++
++ if(copy_from_user(foo, buffer, count)) {
++ return -EFAULT;
++ }
++
++
++ num_packets = my_atoi(foo);
++ kfree (foo);
++
++ /* This has an arbitrary limit to make the math easier. I'm lazy.
++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
++ if(num_packets > 99) {
++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
++ num_packets = 99;
++ } else if(num_packets < 1) {
++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
++ num_packets = 1;
++ }
++
++ return count;
++}
++
++static int
++match(const struct sk_buff *skbin,
++ const struct net_device *in,
++ const struct net_device *out,
++ const struct xt_match *match,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
++{
++ /* sidestep const without getting a compiler warning... */
++ struct sk_buff * skb = (struct sk_buff *)skbin;
++
++ const struct xt_layer7_info * info = matchinfo;
++ enum ip_conntrack_info master_ctinfo, ctinfo;
++ struct nf_conn *master_conntrack, *conntrack;
++ unsigned char * app_data;
++ unsigned int pattern_result, appdatalen;
++ regexp * comppattern;
++
++ /* Be paranoid/incompetent - lock the entire match function. */
++ spin_lock_bh(&l7_lock);
++
++ if(!can_handle(skb)){
++ DPRINTK("layer7: This is some protocol I can't handle.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ /* Treat parent & all its children together as one connection, except
++ for the purpose of setting conntrack->layer7.app_proto in the actual
++ connection. This makes /proc/net/ip_conntrack more satisfying. */
++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) ||
++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){
++ DPRINTK("layer7: couldn't get conntrack.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ /* Try to get a master conntrack (and its master etc) for FTP, etc. */
++ while (master_ct(master_conntrack) != NULL)
++ master_conntrack = master_ct(master_conntrack);
++
++ /* if we've classified it or seen too many packets */
++ if(TOTAL_PACKETS > num_packets ||
++ master_conntrack->layer7.app_proto) {
++
++ pattern_result = match_no_append(conntrack, master_conntrack,
++ ctinfo, master_ctinfo, info);
++
++ /* skb->cb[0] == seen. Don't do things twice if there are
++ multiple l7 rules. I'm not sure that using cb for this purpose
++ is correct, even though it says "put your private variables
++ there". But it doesn't look like it is being used for anything
++ else in the skbs that make it here. */
++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */
++
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++ }
++
++ if(skb_is_nonlinear(skb)){
++ if(skb_linearize(skb) != 0){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: failed to linearize "
++ "packet, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++ }
++
++ /* now that the skb is linearized, it's safe to set these. */
++ app_data = skb->data + app_data_offset(skb);
++ appdatalen = skb_tail_pointer(skb) - app_data;
++
++ /* the return value gets checked later, when we're ready to use it */
++ comppattern = compile_and_cache(info->pattern, info->protocol);
++
++ /* On the first packet of a connection, allocate space for app data */
++ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
++ !master_conntrack->layer7.app_data){
++ master_conntrack->layer7.app_data =
++ kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ master_conntrack->layer7.app_data[0] = '\0';
++ }
++
++ /* Can be here, but unallocated, if numpackets is increased near
++ the beginning of a connection */
++ if(master_conntrack->layer7.app_data == NULL){
++ spin_unlock_bh(&l7_lock);
++ return (info->invert); /* unmatched */
++ }
++
++ if(!skb->cb[0]){
++ int newbytes;
++ newbytes = add_data(master_conntrack, app_data, appdatalen);
++
++ if(newbytes == 0) { /* didn't add any data */
++ skb->cb[0] = 1;
++ /* Didn't match before, not going to match now */
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++ }
++
++ /* If looking for "unknown", then never match. "Unknown" means that
++ we've given up; we're still trying with these packets. */
++ if(!strcmp(info->protocol, "unknown")) {
++ pattern_result = 0;
++ /* If looking for "unset", then always match. "Unset" means that we
++ haven't yet classified the connection. */
++ } else if(!strcmp(info->protocol, "unset")) {
++ pattern_result = 2;
++ DPRINTK("layer7: matched unset: not yet classified "
++ "(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
++ /* If the regexp failed to compile, don't bother running it */
++ } else if(comppattern &&
++ regexec(comppattern, master_conntrack->layer7.app_data)){
++ DPRINTK("layer7: matched %s\n", info->protocol);
++ pattern_result = 1;
++ } else pattern_result = 0;
++
++ if(pattern_result == 1) {
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++ }
++ strcpy(master_conntrack->layer7.app_proto, info->protocol);
++ } else if(pattern_result > 1) { /* cleanup from "unset" */
++ pattern_result = 1;
++ }
++
++ /* mark the packet seen */
++ skb->cb[0] = 1;
++
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++}
++
++static int check(const char *tablename,
++ const void *inf,
++ const struct xt_match *match,
++ void *matchinfo,
++ unsigned int hook_mask)
++
++{
++ // load nf_conntrack_ipv4
++ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
++ printk(KERN_WARNING "can't load conntrack support for "
++ "proto=%d\n", match->family);
++ return false;
++ }
++ return true;
++}
++
++static void
++destroy(const struct xt_match *match, void *matchinfo)
++{
++ nf_ct_l3proto_module_put(match->family);
++}
++
++static struct xt_match xt_layer7_match[] = {
++{
++ .name = "layer7",
++ .family = AF_INET,
++ .checkentry = check,
++ .match = match,
++ .destroy = destroy,
++ .matchsize = sizeof(struct xt_layer7_info),
++ .me = THIS_MODULE
++}
++};
++
++static void layer7_cleanup_proc(void)
++{
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
++ remove_proc_entry("layer7_numpackets", proc_net);
++#else
++ remove_proc_entry("layer7_numpackets", init_net.proc_net);
++#endif
++}
++
++/* register the proc file */
++static void layer7_init_proc(void)
++{
++ struct proc_dir_entry* entry;
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
++ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
++#else
++ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
++#endif
++ entry->read_proc = layer7_read_proc;
++ entry->write_proc = layer7_write_proc;
++}
++
++static int __init xt_layer7_init(void)
++{
++ need_conntrack();
++
++ layer7_init_proc();
++ if(maxdatalen < 1) {
++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, "
++ "using 1\n");
++ maxdatalen = 1;
++ }
++ /* This is not a hard limit. It's just here to prevent people from
++ bringing their slow machines to a grinding halt. */
++ else if(maxdatalen > 65536) {
++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, "
++ "using 65536\n");
++ maxdatalen = 65536;
++ }
++ return xt_register_matches(xt_layer7_match,
++ ARRAY_SIZE(xt_layer7_match));
++}
++
++static void __exit xt_layer7_fini(void)
++{
++ layer7_cleanup_proc();
++ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match));
++}
++
++module_init(xt_layer7_init);
++module_exit(xt_layer7_fini);
+Index: linux-2.6.21.7/net/netfilter/regexp/regexp.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/regexp/regexp.c
+@@ -0,0 +1,1197 @@
++/*
++ * regcomp and regexec -- regsub and regerror are elsewhere
++ * @(#)regexp.c 1.3 of 18 April 87
++ *
++ * Copyright (c) 1986 by University of Toronto.
++ * Written by Henry Spencer. Not derived from licensed software.
++ *
++ * Permission is granted to anyone to use this software for any
++ * purpose on any computer system, and to redistribute it freely,
++ * subject to the following restrictions:
++ *
++ * 1. The author is not responsible for the consequences of use of
++ * this software, no matter how awful, even if they arise
++ * from defects in it.
++ *
++ * 2. The origin of this software must not be misrepresented, either
++ * by explicit claim or by omission.
++ *
++ * 3. Altered versions must be plainly marked as such, and must not
++ * be misrepresented as being the original software.
++ *
++ * Beware that some of this code is subtly aware of the way operator
++ * precedence is structured in regular expressions. Serious changes in
++ * regular-expression syntax might require a total rethink.
++ *
++ * This code was modified by Ethan Sommer to work within the kernel
++ * (it now uses kmalloc etc..)
++ *
++ * Modified slightly by Matthew Strait to use more modern C.
++ */
++
++#include "regexp.h"
++#include "regmagic.h"
++
++/* added by ethan and matt. Lets it work in both kernel and user space.
++(So iptables can use it, for instance.) Yea, it goes both ways... */
++#if __KERNEL__
++ #define malloc(foo) kmalloc(foo,GFP_ATOMIC)
++#else
++ #define printk(format,args...) printf(format,##args)
++#endif
++
++void regerror(char * s)
++{
++ printk("<3>Regexp: %s\n", s);
++ /* NOTREACHED */
++}
++
++/*
++ * The "internal use only" fields in regexp.h are present to pass info from
++ * compile to execute that permits the execute phase to run lots faster on
++ * simple cases. They are:
++ *
++ * regstart char that must begin a match; '\0' if none obvious
++ * reganch is the match anchored (at beginning-of-line only)?
++ * regmust string (pointer into program) that match must include, or NULL
++ * regmlen length of regmust string
++ *
++ * Regstart and reganch permit very fast decisions on suitable starting points
++ * for a match, cutting down the work a lot. Regmust permits fast rejection
++ * of lines that cannot possibly match. The regmust tests are costly enough
++ * that regcomp() supplies a regmust only if the r.e. contains something
++ * potentially expensive (at present, the only such thing detected is * or +
++ * at the start of the r.e., which can involve a lot of backup). Regmlen is
++ * supplied because the test in regexec() needs it and regcomp() is computing
++ * it anyway.
++ */
++
++/*
++ * Structure for regexp "program". This is essentially a linear encoding
++ * of a nondeterministic finite-state machine (aka syntax charts or
++ * "railroad normal form" in parsing technology). Each node is an opcode
++ * plus a "next" pointer, possibly plus an operand. "Next" pointers of
++ * all nodes except BRANCH implement concatenation; a "next" pointer with
++ * a BRANCH on both ends of it is connecting two alternatives. (Here we
++ * have one of the subtle syntax dependencies: an individual BRANCH (as
++ * opposed to a collection of them) is never concatenated with anything
++ * because of operator precedence.) The operand of some types of node is
++ * a literal string; for others, it is a node leading into a sub-FSM. In
++ * particular, the operand of a BRANCH node is the first node of the branch.
++ * (NB this is *not* a tree structure: the tail of the branch connects
++ * to the thing following the set of BRANCHes.) The opcodes are:
++ */
++
++/* definition number opnd? meaning */
++#define END 0 /* no End of program. */
++#define BOL 1 /* no Match "" at beginning of line. */
++#define EOL 2 /* no Match "" at end of line. */
++#define ANY 3 /* no Match any one character. */
++#define ANYOF 4 /* str Match any character in this string. */
++#define ANYBUT 5 /* str Match any character not in this string. */
++#define BRANCH 6 /* node Match this alternative, or the next... */
++#define BACK 7 /* no Match "", "next" ptr points backward. */
++#define EXACTLY 8 /* str Match this string. */
++#define NOTHING 9 /* no Match empty string. */
++#define STAR 10 /* node Match this (simple) thing 0 or more times. */
++#define PLUS 11 /* node Match this (simple) thing 1 or more times. */
++#define OPEN 20 /* no Mark this point in input as start of #n. */
++ /* OPEN+1 is number 1, etc. */
++#define CLOSE 30 /* no Analogous to OPEN. */
++
++/*
++ * Opcode notes:
++ *
++ * BRANCH The set of branches constituting a single choice are hooked
++ * together with their "next" pointers, since precedence prevents
++ * anything being concatenated to any individual branch. The
++ * "next" pointer of the last BRANCH in a choice points to the
++ * thing following the whole choice. This is also where the
++ * final "next" pointer of each individual branch points; each
++ * branch starts with the operand node of a BRANCH node.
++ *
++ * BACK Normal "next" pointers all implicitly point forward; BACK
++ * exists to make loop structures possible.
++ *
++ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular
++ * BRANCH structures using BACK. Simple cases (one character
++ * per match) are implemented with STAR and PLUS for speed
++ * and to minimize recursive plunges.
++ *
++ * OPEN,CLOSE ...are numbered at compile time.
++ */
++
++/*
++ * A node is one char of opcode followed by two chars of "next" pointer.
++ * "Next" pointers are stored as two 8-bit pieces, high order first. The
++ * value is a positive offset from the opcode of the node containing it.
++ * An operand, if any, simply follows the node. (Note that much of the
++ * code generation knows about this implicit relationship.)
++ *
++ * Using two bytes for the "next" pointer is vast overkill for most things,
++ * but allows patterns to get big without disasters.
++ */
++#define OP(p) (*(p))
++#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377))
++#define OPERAND(p) ((p) + 3)
++
++/*
++ * See regmagic.h for one further detail of program structure.
++ */
++
++
++/*
++ * Utility definitions.
++ */
++#ifndef CHARBITS
++#define UCHARAT(p) ((int)*(unsigned char *)(p))
++#else
++#define UCHARAT(p) ((int)*(p)&CHARBITS)
++#endif
++
++#define FAIL(m) { regerror(m); return(NULL); }
++#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?')
++#define META "^$.[()|?+*\\"
++
++/*
++ * Flags to be passed up and down.
++ */
++#define HASWIDTH 01 /* Known never to match null string. */
++#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */
++#define SPSTART 04 /* Starts with * or +. */
++#define WORST 0 /* Worst case. */
++
++/*
++ * Global work variables for regcomp().
++ */
++struct match_globals {
++char *reginput; /* String-input pointer. */
++char *regbol; /* Beginning of input, for ^ check. */
++char **regstartp; /* Pointer to startp array. */
++char **regendp; /* Ditto for endp. */
++char *regparse; /* Input-scan pointer. */
++int regnpar; /* () count. */
++char regdummy;
++char *regcode; /* Code-emit pointer; ®dummy = don't. */
++long regsize; /* Code size. */
++};
++
++/*
++ * Forward declarations for regcomp()'s friends.
++ */
++#ifndef STATIC
++#define STATIC static
++#endif
++STATIC char *reg(struct match_globals *g, int paren,int *flagp);
++STATIC char *regbranch(struct match_globals *g, int *flagp);
++STATIC char *regpiece(struct match_globals *g, int *flagp);
++STATIC char *regatom(struct match_globals *g, int *flagp);
++STATIC char *regnode(struct match_globals *g, char op);
++STATIC char *regnext(struct match_globals *g, char *p);
++STATIC void regc(struct match_globals *g, char b);
++STATIC void reginsert(struct match_globals *g, char op, char *opnd);
++STATIC void regtail(struct match_globals *g, char *p, char *val);
++STATIC void regoptail(struct match_globals *g, char *p, char *val);
++
++
++__kernel_size_t my_strcspn(const char *s1,const char *s2)
++{
++ char *scan1;
++ char *scan2;
++ int count;
++
++ count = 0;
++ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) {
++ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */
++ if (*scan1 == *scan2++)
++ return(count);
++ count++;
++ }
++ return(count);
++}
++
++/*
++ - regcomp - compile a regular expression into internal code
++ *
++ * We can't allocate space until we know how big the compiled form will be,
++ * but we can't compile it (and thus know how big it is) until we've got a
++ * place to put the code. So we cheat: we compile it twice, once with code
++ * generation turned off and size counting turned on, and once "for real".
++ * This also means that we don't allocate space until we are sure that the
++ * thing really will compile successfully, and we never have to move the
++ * code and thus invalidate pointers into it. (Note that it has to be in
++ * one piece because free() must be able to free it all.)
++ *
++ * Beware that the optimization-preparation code in here knows about some
++ * of the structure of the compiled regexp.
++ */
++regexp *
++regcomp(char *exp,int *patternsize)
++{
++ register regexp *r;
++ register char *scan;
++ register char *longest;
++ register int len;
++ int flags;
++ struct match_globals g;
++
++ /* commented out by ethan
++ extern char *malloc();
++ */
++
++ if (exp == NULL)
++ FAIL("NULL argument");
++
++ /* First pass: determine size, legality. */
++ g.regparse = exp;
++ g.regnpar = 1;
++ g.regsize = 0L;
++ g.regcode = &g.regdummy;
++ regc(&g, MAGIC);
++ if (reg(&g, 0, &flags) == NULL)
++ return(NULL);
++
++ /* Small enough for pointer-storage convention? */
++ if (g.regsize >= 32767L) /* Probably could be 65535L. */
++ FAIL("regexp too big");
++
++ /* Allocate space. */
++ *patternsize=sizeof(regexp) + (unsigned)g.regsize;
++ r = (regexp *)malloc(sizeof(regexp) + (unsigned)g.regsize);
++ if (r == NULL)
++ FAIL("out of space");
++
++ /* Second pass: emit code. */
++ g.regparse = exp;
++ g.regnpar = 1;
++ g.regcode = r->program;
++ regc(&g, MAGIC);
++ if (reg(&g, 0, &flags) == NULL)
++ return(NULL);
++
++ /* Dig out information for optimizations. */
++ r->regstart = '\0'; /* Worst-case defaults. */
++ r->reganch = 0;
++ r->regmust = NULL;
++ r->regmlen = 0;
++ scan = r->program+1; /* First BRANCH. */
++ if (OP(regnext(&g, scan)) == END) { /* Only one top-level choice. */
++ scan = OPERAND(scan);
++
++ /* Starting-point info. */
++ if (OP(scan) == EXACTLY)
++ r->regstart = *OPERAND(scan);
++ else if (OP(scan) == BOL)
++ r->reganch++;
++
++ /*
++ * If there's something expensive in the r.e., find the
++ * longest literal string that must appear and make it the
++ * regmust. Resolve ties in favor of later strings, since
++ * the regstart check works with the beginning of the r.e.
++ * and avoiding duplication strengthens checking. Not a
++ * strong reason, but sufficient in the absence of others.
++ */
++ if (flags&SPSTART) {
++ longest = NULL;
++ len = 0;
++ for (; scan != NULL; scan = regnext(&g, scan))
++ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) {
++ longest = OPERAND(scan);
++ len = strlen(OPERAND(scan));
++ }
++ r->regmust = longest;
++ r->regmlen = len;
++ }
++ }
++
++ return(r);
++}
++
++/*
++ - reg - regular expression, i.e. main body or parenthesized thing
++ *
++ * Caller must absorb opening parenthesis.
++ *
++ * Combining parenthesis handling with the base level of regular expression
++ * is a trifle forced, but the need to tie the tails of the branches to what
++ * follows makes it hard to avoid.
++ */
++static char *
++reg(struct match_globals *g, int paren, int *flagp /* Parenthesized? */ )
++{
++ register char *ret;
++ register char *br;
++ register char *ender;
++ register int parno = 0; /* 0 makes gcc happy */
++ int flags;
++
++ *flagp = HASWIDTH; /* Tentatively. */
++
++ /* Make an OPEN node, if parenthesized. */
++ if (paren) {
++ if (g->regnpar >= NSUBEXP)
++ FAIL("too many ()");
++ parno = g->regnpar;
++ g->regnpar++;
++ ret = regnode(g, OPEN+parno);
++ } else
++ ret = NULL;
++
++ /* Pick up the branches, linking them together. */
++ br = regbranch(g, &flags);
++ if (br == NULL)
++ return(NULL);
++ if (ret != NULL)
++ regtail(g, ret, br); /* OPEN -> first. */
++ else
++ ret = br;
++ if (!(flags&HASWIDTH))
++ *flagp &= ~HASWIDTH;
++ *flagp |= flags&SPSTART;
++ while (*g->regparse == '|') {
++ g->regparse++;
++ br = regbranch(g, &flags);
++ if (br == NULL)
++ return(NULL);
++ regtail(g, ret, br); /* BRANCH -> BRANCH. */
++ if (!(flags&HASWIDTH))
++ *flagp &= ~HASWIDTH;
++ *flagp |= flags&SPSTART;
++ }
++
++ /* Make a closing node, and hook it on the end. */
++ ender = regnode(g, (paren) ? CLOSE+parno : END);
++ regtail(g, ret, ender);
++
++ /* Hook the tails of the branches to the closing node. */
++ for (br = ret; br != NULL; br = regnext(g, br))
++ regoptail(g, br, ender);
++
++ /* Check for proper termination. */
++ if (paren && *g->regparse++ != ')') {
++ FAIL("unmatched ()");
++ } else if (!paren && *g->regparse != '\0') {
++ if (*g->regparse == ')') {
++ FAIL("unmatched ()");
++ } else
++ FAIL("junk on end"); /* "Can't happen". */
++ /* NOTREACHED */
++ }
++
++ return(ret);
++}
++
++/*
++ - regbranch - one alternative of an | operator
++ *
++ * Implements the concatenation operator.
++ */
++static char *
++regbranch(struct match_globals *g, int *flagp)
++{
++ register char *ret;
++ register char *chain;
++ register char *latest;
++ int flags;
++
++ *flagp = WORST; /* Tentatively. */
++
++ ret = regnode(g, BRANCH);
++ chain = NULL;
++ while (*g->regparse != '\0' && *g->regparse != '|' && *g->regparse != ')') {
++ latest = regpiece(g, &flags);
++ if (latest == NULL)
++ return(NULL);
++ *flagp |= flags&HASWIDTH;
++ if (chain == NULL) /* First piece. */
++ *flagp |= flags&SPSTART;
++ else
++ regtail(g, chain, latest);
++ chain = latest;
++ }
++ if (chain == NULL) /* Loop ran zero times. */
++ (void) regnode(g, NOTHING);
++
++ return(ret);
++}
++
++/*
++ - regpiece - something followed by possible [*+?]
++ *
++ * Note that the branching code sequences used for ? and the general cases
++ * of * and + are somewhat optimized: they use the same NOTHING node as
++ * both the endmarker for their branch list and the body of the last branch.
++ * It might seem that this node could be dispensed with entirely, but the
++ * endmarker role is not redundant.
++ */
++static char *
++regpiece(struct match_globals *g, int *flagp)
++{
++ register char *ret;
++ register char op;
++ register char *next;
++ int flags;
++
++ ret = regatom(g, &flags);
++ if (ret == NULL)
++ return(NULL);
++
++ op = *g->regparse;
++ if (!ISMULT(op)) {
++ *flagp = flags;
++ return(ret);
++ }
++
++ if (!(flags&HASWIDTH) && op != '?')
++ FAIL("*+ operand could be empty");
++ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH);
++
++ if (op == '*' && (flags&SIMPLE))
++ reginsert(g, STAR, ret);
++ else if (op == '*') {
++ /* Emit x* as (x&|), where & means "self". */
++ reginsert(g, BRANCH, ret); /* Either x */
++ regoptail(g, ret, regnode(g, BACK)); /* and loop */
++ regoptail(g, ret, ret); /* back */
++ regtail(g, ret, regnode(g, BRANCH)); /* or */
++ regtail(g, ret, regnode(g, NOTHING)); /* null. */
++ } else if (op == '+' && (flags&SIMPLE))
++ reginsert(g, PLUS, ret);
++ else if (op == '+') {
++ /* Emit x+ as x(&|), where & means "self". */
++ next = regnode(g, BRANCH); /* Either */
++ regtail(g, ret, next);
++ regtail(g, regnode(g, BACK), ret); /* loop back */
++ regtail(g, next, regnode(g, BRANCH)); /* or */
++ regtail(g, ret, regnode(g, NOTHING)); /* null. */
++ } else if (op == '?') {
++ /* Emit x? as (x|) */
++ reginsert(g, BRANCH, ret); /* Either x */
++ regtail(g, ret, regnode(g, BRANCH)); /* or */
++ next = regnode(g, NOTHING); /* null. */
++ regtail(g, ret, next);
++ regoptail(g, ret, next);
++ }
++ g->regparse++;
++ if (ISMULT(*g->regparse))
++ FAIL("nested *?+");
++
++ return(ret);
++}
++
++/*
++ - regatom - the lowest level
++ *
++ * Optimization: gobbles an entire sequence of ordinary characters so that
++ * it can turn them into a single node, which is smaller to store and
++ * faster to run. Backslashed characters are exceptions, each becoming a
++ * separate node; the code is simpler that way and it's not worth fixing.
++ */
++static char *
++regatom(struct match_globals *g, int *flagp)
++{
++ register char *ret;
++ int flags;
++
++ *flagp = WORST; /* Tentatively. */
++
++ switch (*g->regparse++) {
++ case '^':
++ ret = regnode(g, BOL);
++ break;
++ case '$':
++ ret = regnode(g, EOL);
++ break;
++ case '.':
++ ret = regnode(g, ANY);
++ *flagp |= HASWIDTH|SIMPLE;
++ break;
++ case '[': {
++ register int class;
++ register int classend;
++
++ if (*g->regparse == '^') { /* Complement of range. */
++ ret = regnode(g, ANYBUT);
++ g->regparse++;
++ } else
++ ret = regnode(g, ANYOF);
++ if (*g->regparse == ']' || *g->regparse == '-')
++ regc(g, *g->regparse++);
++ while (*g->regparse != '\0' && *g->regparse != ']') {
++ if (*g->regparse == '-') {
++ g->regparse++;
++ if (*g->regparse == ']' || *g->regparse == '\0')
++ regc(g, '-');
++ else {
++ class = UCHARAT(g->regparse-2)+1;
++ classend = UCHARAT(g->regparse);
++ if (class > classend+1)
++ FAIL("invalid [] range");
++ for (; class <= classend; class++)
++ regc(g, class);
++ g->regparse++;
++ }
++ } else
++ regc(g, *g->regparse++);
++ }
++ regc(g, '\0');
++ if (*g->regparse != ']')
++ FAIL("unmatched []");
++ g->regparse++;
++ *flagp |= HASWIDTH|SIMPLE;
++ }
++ break;
++ case '(':
++ ret = reg(g, 1, &flags);
++ if (ret == NULL)
++ return(NULL);
++ *flagp |= flags&(HASWIDTH|SPSTART);
++ break;
++ case '\0':
++ case '|':
++ case ')':
++ FAIL("internal urp"); /* Supposed to be caught earlier. */
++ break;
++ case '?':
++ case '+':
++ case '*':
++ FAIL("?+* follows nothing");
++ break;
++ case '\\':
++ if (*g->regparse == '\0')
++ FAIL("trailing \\");
++ ret = regnode(g, EXACTLY);
++ regc(g, *g->regparse++);
++ regc(g, '\0');
++ *flagp |= HASWIDTH|SIMPLE;
++ break;
++ default: {
++ register int len;
++ register char ender;
++
++ g->regparse--;
++ len = my_strcspn((const char *)g->regparse, (const char *)META);
++ if (len <= 0)
++ FAIL("internal disaster");
++ ender = *(g->regparse+len);
++ if (len > 1 && ISMULT(ender))
++ len--; /* Back off clear of ?+* operand. */
++ *flagp |= HASWIDTH;
++ if (len == 1)
++ *flagp |= SIMPLE;
++ ret = regnode(g, EXACTLY);
++ while (len > 0) {
++ regc(g, *g->regparse++);
++ len--;
++ }
++ regc(g, '\0');
++ }
++ break;
++ }
++
++ return(ret);
++}
++
++/*
++ - regnode - emit a node
++ */
++static char * /* Location. */
++regnode(struct match_globals *g, char op)
++{
++ register char *ret;
++ register char *ptr;
++
++ ret = g->regcode;
++ if (ret == &g->regdummy) {
++ g->regsize += 3;
++ return(ret);
++ }
++
++ ptr = ret;
++ *ptr++ = op;
++ *ptr++ = '\0'; /* Null "next" pointer. */
++ *ptr++ = '\0';
++ g->regcode = ptr;
++
++ return(ret);
++}
++
++/*
++ - regc - emit (if appropriate) a byte of code
++ */
++static void
++regc(struct match_globals *g, char b)
++{
++ if (g->regcode != &g->regdummy)
++ *g->regcode++ = b;
++ else
++ g->regsize++;
++}
++
++/*
++ - reginsert - insert an operator in front of already-emitted operand
++ *
++ * Means relocating the operand.
++ */
++static void
++reginsert(struct match_globals *g, char op, char* opnd)
++{
++ register char *src;
++ register char *dst;
++ register char *place;
++
++ if (g->regcode == &g->regdummy) {
++ g->regsize += 3;
++ return;
++ }
++
++ src = g->regcode;
++ g->regcode += 3;
++ dst = g->regcode;
++ while (src > opnd)
++ *--dst = *--src;
++
++ place = opnd; /* Op node, where operand used to be. */
++ *place++ = op;
++ *place++ = '\0';
++ *place++ = '\0';
++}
++
++/*
++ - regtail - set the next-pointer at the end of a node chain
++ */
++static void
++regtail(struct match_globals *g, char *p, char *val)
++{
++ register char *scan;
++ register char *temp;
++ register int offset;
++
++ if (p == &g->regdummy)
++ return;
++
++ /* Find last node. */
++ scan = p;
++ for (;;) {
++ temp = regnext(g, scan);
++ if (temp == NULL)
++ break;
++ scan = temp;
++ }
++
++ if (OP(scan) == BACK)
++ offset = scan - val;
++ else
++ offset = val - scan;
++ *(scan+1) = (offset>>8)&0377;
++ *(scan+2) = offset&0377;
++}
++
++/*
++ - regoptail - regtail on operand of first argument; nop if operandless
++ */
++static void
++regoptail(struct match_globals *g, char *p, char *val)
++{
++ /* "Operandless" and "op != BRANCH" are synonymous in practice. */
++ if (p == NULL || p == &g->regdummy || OP(p) != BRANCH)
++ return;
++ regtail(g, OPERAND(p), val);
++}
++
++/*
++ * regexec and friends
++ */
++
++
++/*
++ * Forwards.
++ */
++STATIC int regtry(struct match_globals *g, regexp *prog, char *string);
++STATIC int regmatch(struct match_globals *g, char *prog);
++STATIC int regrepeat(struct match_globals *g, char *p);
++
++#ifdef DEBUG
++int regnarrate = 0;
++void regdump();
++STATIC char *regprop(char *op);
++#endif
++
++/*
++ - regexec - match a regexp against a string
++ */
++int
++regexec(regexp *prog, char *string)
++{
++ register char *s;
++ struct match_globals g;
++
++ /* Be paranoid... */
++ if (prog == NULL || string == NULL) {
++ printk("<3>Regexp: NULL parameter\n");
++ return(0);
++ }
++
++ /* Check validity of program. */
++ if (UCHARAT(prog->program) != MAGIC) {
++ printk("<3>Regexp: corrupted program\n");
++ return(0);
++ }
++
++ /* If there is a "must appear" string, look for it. */
++ if (prog->regmust != NULL) {
++ s = string;
++ while ((s = strchr(s, prog->regmust[0])) != NULL) {
++ if (strncmp(s, prog->regmust, prog->regmlen) == 0)
++ break; /* Found it. */
++ s++;
++ }
++ if (s == NULL) /* Not present. */
++ return(0);
++ }
++
++ /* Mark beginning of line for ^ . */
++ g.regbol = string;
++
++ /* Simplest case: anchored match need be tried only once. */
++ if (prog->reganch)
++ return(regtry(&g, prog, string));
++
++ /* Messy cases: unanchored match. */
++ s = string;
++ if (prog->regstart != '\0')
++ /* We know what char it must start with. */
++ while ((s = strchr(s, prog->regstart)) != NULL) {
++ if (regtry(&g, prog, s))
++ return(1);
++ s++;
++ }
++ else
++ /* We don't -- general case. */
++ do {
++ if (regtry(&g, prog, s))
++ return(1);
++ } while (*s++ != '\0');
++
++ /* Failure. */
++ return(0);
++}
++
++/*
++ - regtry - try match at specific point
++ */
++static int /* 0 failure, 1 success */
++regtry(struct match_globals *g, regexp *prog, char *string)
++{
++ register int i;
++ register char **sp;
++ register char **ep;
++
++ g->reginput = string;
++ g->regstartp = prog->startp;
++ g->regendp = prog->endp;
++
++ sp = prog->startp;
++ ep = prog->endp;
++ for (i = NSUBEXP; i > 0; i--) {
++ *sp++ = NULL;
++ *ep++ = NULL;
++ }
++ if (regmatch(g, prog->program + 1)) {
++ prog->startp[0] = string;
++ prog->endp[0] = g->reginput;
++ return(1);
++ } else
++ return(0);
++}
++
++/*
++ - regmatch - main matching routine
++ *
++ * Conceptually the strategy is simple: check to see whether the current
++ * node matches, call self recursively to see whether the rest matches,
++ * and then act accordingly. In practice we make some effort to avoid
++ * recursion, in particular by going through "ordinary" nodes (that don't
++ * need to know whether the rest of the match failed) by a loop instead of
++ * by recursion.
++ */
++static int /* 0 failure, 1 success */
++regmatch(struct match_globals *g, char *prog)
++{
++ register char *scan = prog; /* Current node. */
++ char *next; /* Next node. */
++
++#ifdef DEBUG
++ if (scan != NULL && regnarrate)
++ fprintf(stderr, "%s(\n", regprop(scan));
++#endif
++ while (scan != NULL) {
++#ifdef DEBUG
++ if (regnarrate)
++ fprintf(stderr, "%s...\n", regprop(scan));
++#endif
++ next = regnext(g, scan);
++
++ switch (OP(scan)) {
++ case BOL:
++ if (g->reginput != g->regbol)
++ return(0);
++ break;
++ case EOL:
++ if (*g->reginput != '\0')
++ return(0);
++ break;
++ case ANY:
++ if (*g->reginput == '\0')
++ return(0);
++ g->reginput++;
++ break;
++ case EXACTLY: {
++ register int len;
++ register char *opnd;
++
++ opnd = OPERAND(scan);
++ /* Inline the first character, for speed. */
++ if (*opnd != *g->reginput)
++ return(0);
++ len = strlen(opnd);
++ if (len > 1 && strncmp(opnd, g->reginput, len) != 0)
++ return(0);
++ g->reginput += len;
++ }
++ break;
++ case ANYOF:
++ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) == NULL)
++ return(0);
++ g->reginput++;
++ break;
++ case ANYBUT:
++ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) != NULL)
++ return(0);
++ g->reginput++;
++ break;
++ case NOTHING:
++ case BACK:
++ break;
++ case OPEN+1:
++ case OPEN+2:
++ case OPEN+3:
++ case OPEN+4:
++ case OPEN+5:
++ case OPEN+6:
++ case OPEN+7:
++ case OPEN+8:
++ case OPEN+9: {
++ register int no;
++ register char *save;
++
++ no = OP(scan) - OPEN;
++ save = g->reginput;
++
++ if (regmatch(g, next)) {
++ /*
++ * Don't set startp if some later
++ * invocation of the same parentheses
++ * already has.
++ */
++ if (g->regstartp[no] == NULL)
++ g->regstartp[no] = save;
++ return(1);
++ } else
++ return(0);
++ }
++ break;
++ case CLOSE+1:
++ case CLOSE+2:
++ case CLOSE+3:
++ case CLOSE+4:
++ case CLOSE+5:
++ case CLOSE+6:
++ case CLOSE+7:
++ case CLOSE+8:
++ case CLOSE+9:
++ {
++ register int no;
++ register char *save;
++
++ no = OP(scan) - CLOSE;
++ save = g->reginput;
++
++ if (regmatch(g, next)) {
++ /*
++ * Don't set endp if some later
++ * invocation of the same parentheses
++ * already has.
++ */
++ if (g->regendp[no] == NULL)
++ g->regendp[no] = save;
++ return(1);
++ } else
++ return(0);
++ }
++ break;
++ case BRANCH: {
++ register char *save;
++
++ if (OP(next) != BRANCH) /* No choice. */
++ next = OPERAND(scan); /* Avoid recursion. */
++ else {
++ do {
++ save = g->reginput;
++ if (regmatch(g, OPERAND(scan)))
++ return(1);
++ g->reginput = save;
++ scan = regnext(g, scan);
++ } while (scan != NULL && OP(scan) == BRANCH);
++ return(0);
++ /* NOTREACHED */
++ }
++ }
++ break;
++ case STAR:
++ case PLUS: {
++ register char nextch;
++ register int no;
++ register char *save;
++ register int min;
++
++ /*
++ * Lookahead to avoid useless match attempts
++ * when we know what character comes next.
++ */
++ nextch = '\0';
++ if (OP(next) == EXACTLY)
++ nextch = *OPERAND(next);
++ min = (OP(scan) == STAR) ? 0 : 1;
++ save = g->reginput;
++ no = regrepeat(g, OPERAND(scan));
++ while (no >= min) {
++ /* If it could work, try it. */
++ if (nextch == '\0' || *g->reginput == nextch)
++ if (regmatch(g, next))
++ return(1);
++ /* Couldn't or didn't -- back up. */
++ no--;
++ g->reginput = save + no;
++ }
++ return(0);
++ }
++ break;
++ case END:
++ return(1); /* Success! */
++ break;
++ default:
++ printk("<3>Regexp: memory corruption\n");
++ return(0);
++ break;
++ }
++
++ scan = next;
++ }
++
++ /*
++ * We get here only if there's trouble -- normally "case END" is
++ * the terminating point.
++ */
++ printk("<3>Regexp: corrupted pointers\n");
++ return(0);
++}
++
++/*
++ - regrepeat - repeatedly match something simple, report how many
++ */
++static int
++regrepeat(struct match_globals *g, char *p)
++{
++ register int count = 0;
++ register char *scan;
++ register char *opnd;
++
++ scan = g->reginput;
++ opnd = OPERAND(p);
++ switch (OP(p)) {
++ case ANY:
++ count = strlen(scan);
++ scan += count;
++ break;
++ case EXACTLY:
++ while (*opnd == *scan) {
++ count++;
++ scan++;
++ }
++ break;
++ case ANYOF:
++ while (*scan != '\0' && strchr(opnd, *scan) != NULL) {
++ count++;
++ scan++;
++ }
++ break;
++ case ANYBUT:
++ while (*scan != '\0' && strchr(opnd, *scan) == NULL) {
++ count++;
++ scan++;
++ }
++ break;
++ default: /* Oh dear. Called inappropriately. */
++ printk("<3>Regexp: internal foulup\n");
++ count = 0; /* Best compromise. */
++ break;
++ }
++ g->reginput = scan;
++
++ return(count);
++}
++
++/*
++ - regnext - dig the "next" pointer out of a node
++ */
++static char*
++regnext(struct match_globals *g, char *p)
++{
++ register int offset;
++
++ if (p == &g->regdummy)
++ return(NULL);
++
++ offset = NEXT(p);
++ if (offset == 0)
++ return(NULL);
++
++ if (OP(p) == BACK)
++ return(p-offset);
++ else
++ return(p+offset);
++}
++
++#ifdef DEBUG
++
++STATIC char *regprop();
++
++/*
++ - regdump - dump a regexp onto stdout in vaguely comprehensible form
++ */
++void
++regdump(regexp *r)
++{
++ register char *s;
++ register char op = EXACTLY; /* Arbitrary non-END op. */
++ register char *next;
++ /* extern char *strchr(); */
++
++
++ s = r->program + 1;
++ while (op != END) { /* While that wasn't END last time... */
++ op = OP(s);
++ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */
++ next = regnext(s);
++ if (next == NULL) /* Next ptr. */
++ printf("(0)");
++ else
++ printf("(%d)", (s-r->program)+(next-s));
++ s += 3;
++ if (op == ANYOF || op == ANYBUT || op == EXACTLY) {
++ /* Literal string, where present. */
++ while (*s != '\0') {
++ putchar(*s);
++ s++;
++ }
++ s++;
++ }
++ putchar('\n');
++ }
++
++ /* Header fields of interest. */
++ if (r->regstart != '\0')
++ printf("start `%c' ", r->regstart);
++ if (r->reganch)
++ printf("anchored ");
++ if (r->regmust != NULL)
++ printf("must have \"%s\"", r->regmust);
++ printf("\n");
++}
++
++/*
++ - regprop - printable representation of opcode
++ */
++static char *
++regprop(char *op)
++{
++#define BUFLEN 50
++ register char *p;
++ static char buf[BUFLEN];
++
++ strcpy(buf, ":");
++
++ switch (OP(op)) {
++ case BOL:
++ p = "BOL";
++ break;
++ case EOL:
++ p = "EOL";
++ break;
++ case ANY:
++ p = "ANY";
++ break;
++ case ANYOF:
++ p = "ANYOF";
++ break;
++ case ANYBUT:
++ p = "ANYBUT";
++ break;
++ case BRANCH:
++ p = "BRANCH";
++ break;
++ case EXACTLY:
++ p = "EXACTLY";
++ break;
++ case NOTHING:
++ p = "NOTHING";
++ break;
++ case BACK:
++ p = "BACK";
++ break;
++ case END:
++ p = "END";
++ break;
++ case OPEN+1:
++ case OPEN+2:
++ case OPEN+3:
++ case OPEN+4:
++ case OPEN+5:
++ case OPEN+6:
++ case OPEN+7:
++ case OPEN+8:
++ case OPEN+9:
++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN);
++ p = NULL;
++ break;
++ case CLOSE+1:
++ case CLOSE+2:
++ case CLOSE+3:
++ case CLOSE+4:
++ case CLOSE+5:
++ case CLOSE+6:
++ case CLOSE+7:
++ case CLOSE+8:
++ case CLOSE+9:
++ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE);
++ p = NULL;
++ break;
++ case STAR:
++ p = "STAR";
++ break;
++ case PLUS:
++ p = "PLUS";
++ break;
++ default:
++ printk("<3>Regexp: corrupted opcode\n");
++ break;
++ }
++ if (p != NULL)
++ strncat(buf, p, BUFLEN-strlen(buf));
++ return(buf);
++}
++#endif
++
++
+Index: linux-2.6.21.7/net/netfilter/regexp/regexp.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/regexp/regexp.h
+@@ -0,0 +1,41 @@
++/*
++ * Definitions etc. for regexp(3) routines.
++ *
++ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof],
++ * not the System V one.
++ */
++
++#ifndef REGEXP_H
++#define REGEXP_H
++
++
++/*
++http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h ,
++which contains a version of this library, says:
++
++ *
++ * NSUBEXP must be at least 10, and no greater than 117 or the parser
++ * will not work properly.
++ *
++
++However, it looks rather like this library is limited to 10. If you think
++otherwise, let us know.
++*/
++
++#define NSUBEXP 10
++typedef struct regexp {
++ char *startp[NSUBEXP];
++ char *endp[NSUBEXP];
++ char regstart; /* Internal use only. */
++ char reganch; /* Internal use only. */
++ char *regmust; /* Internal use only. */
++ int regmlen; /* Internal use only. */
++ char program[1]; /* Unwarranted chumminess with compiler. */
++} regexp;
++
++regexp * regcomp(char *exp, int *patternsize);
++int regexec(regexp *prog, char *string);
++void regsub(regexp *prog, char *source, char *dest);
++void regerror(char *s);
++
++#endif
+Index: linux-2.6.21.7/net/netfilter/regexp/regmagic.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/regexp/regmagic.h
+@@ -0,0 +1,5 @@
++/*
++ * The first byte of the regexp internal "program" is actually this magic
++ * number; the start node begins in the second byte.
++ */
++#define MAGIC 0234
+Index: linux-2.6.21.7/net/netfilter/regexp/regsub.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/regexp/regsub.c
+@@ -0,0 +1,95 @@
++/*
++ * regsub
++ * @(#)regsub.c 1.3 of 2 April 86
++ *
++ * Copyright (c) 1986 by University of Toronto.
++ * Written by Henry Spencer. Not derived from licensed software.
++ *
++ * Permission is granted to anyone to use this software for any
++ * purpose on any computer system, and to redistribute it freely,
++ * subject to the following restrictions:
++ *
++ * 1. The author is not responsible for the consequences of use of
++ * this software, no matter how awful, even if they arise
++ * from defects in it.
++ *
++ * 2. The origin of this software must not be misrepresented, either
++ * by explicit claim or by omission.
++ *
++ * 3. Altered versions must be plainly marked as such, and must not
++ * be misrepresented as being the original software.
++ *
++ *
++ * This code was modified by Ethan Sommer to work within the kernel
++ * (it now uses kmalloc etc..)
++ *
++ */
++#include "regexp.h"
++#include "regmagic.h"
++#include <linux/string.h>
++
++
++#ifndef CHARBITS
++#define UCHARAT(p) ((int)*(unsigned char *)(p))
++#else
++#define UCHARAT(p) ((int)*(p)&CHARBITS)
++#endif
++
++#if 0
++//void regerror(char * s)
++//{
++// printk("regexp(3): %s", s);
++// /* NOTREACHED */
++//}
++#endif
++
++/*
++ - regsub - perform substitutions after a regexp match
++ */
++void
++regsub(regexp * prog, char * source, char * dest)
++{
++ register char *src;
++ register char *dst;
++ register char c;
++ register int no;
++ register int len;
++
++ /* Not necessary and gcc doesn't like it -MLS */
++ /*extern char *strncpy();*/
++
++ if (prog == NULL || source == NULL || dest == NULL) {
++ regerror("NULL parm to regsub");
++ return;
++ }
++ if (UCHARAT(prog->program) != MAGIC) {
++ regerror("damaged regexp fed to regsub");
++ return;
++ }
++
++ src = source;
++ dst = dest;
++ while ((c = *src++) != '\0') {
++ if (c == '&')
++ no = 0;
++ else if (c == '\\' && '0' <= *src && *src <= '9')
++ no = *src++ - '0';
++ else
++ no = -1;
++
++ if (no < 0) { /* Ordinary character. */
++ if (c == '\\' && (*src == '\\' || *src == '&'))
++ c = *src++;
++ *dst++ = c;
++ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) {
++ len = prog->endp[no] - prog->startp[no];
++ (void) strncpy(dst, prog->startp[no], len);
++ dst += len;
++ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */
++ regerror("damaged match string");
++ return;
++ }
++ }
++ }
++ *dst++ = '\0';
++}
+Index: linux-2.6.21.7/net/netfilter/nf_conntrack_core.c
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/nf_conntrack_core.c
++++ linux-2.6.21.7/net/netfilter/nf_conntrack_core.c
+@@ -352,6 +352,14 @@ destroy_conntrack(struct nf_conntrack *n
+ * too. */
+ nf_ct_remove_expectations(ct);
+
++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(ct->layer7.app_proto)
++ kfree(ct->layer7.app_proto);
++ if(ct->layer7.app_data)
++ kfree(ct->layer7.app_data);
++ #endif
++
++
+ /* We overload first tuple to link into unconfirmed list. */
+ if (!nf_ct_is_confirmed(ct)) {
+ BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
+Index: linux-2.6.21.7/net/netfilter/nf_conntrack_standalone.c
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/nf_conntrack_standalone.c
++++ linux-2.6.21.7/net/netfilter/nf_conntrack_standalone.c
+@@ -195,7 +195,12 @@ static int ct_seq_show(struct seq_file *
+ return -ENOSPC;
+ #endif
+
+- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(conntrack->layer7.app_proto)
++ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto))
++ return -ENOSPC;
++#endif
++ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use)))
+ return -ENOSPC;
+
+ return 0;
+Index: linux-2.6.21.7/include/net/netfilter/nf_conntrack.h
+===================================================================
+--- linux-2.6.21.7.orig/include/net/netfilter/nf_conntrack.h
++++ linux-2.6.21.7/include/net/netfilter/nf_conntrack.h
+@@ -128,6 +128,22 @@ struct nf_conn
+ u_int32_t secmark;
+ #endif
+
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ struct {
++ /*
++ * e.g. "http". NULL before decision. "unknown" after decision
++ * if no match.
++ */
++ char *app_proto;
++ /*
++ * application layer data so far. NULL after match decision.
++ */
++ char *app_data;
++ unsigned int app_data_len;
++ } layer7;
++#endif
++
+ /* Storage reserved for other modules: */
+ union nf_conntrack_proto proto;
+
+Index: linux-2.6.21.7/include/linux/netfilter/xt_layer7.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/xt_layer7.h
+@@ -0,0 +1,13 @@
++#ifndef _XT_LAYER7_H
++#define _XT_LAYER7_H
++
++#define MAX_PATTERN_LEN 8192
++#define MAX_PROTOCOL_LEN 256
++
++struct xt_layer7_info {
++ char protocol[MAX_PROTOCOL_LEN];
++ char pattern[MAX_PATTERN_LEN];
++ u_int8_t invert;
++};
++
++#endif /* _XT_LAYER7_H */
+++ /dev/null
-Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200
-@@ -0,0 +1,26 @@
-+/*
-+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#ifndef _IPT_LAYER7_H
-+#define _IPT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
-+
-+typedef char *(*proc_ipt_search) (char *, char, char *);
-+
-+struct ipt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
-+ char pattern[MAX_PATTERN_LEN];
-+};
-+
-+#endif /* _IPT_LAYER7_H */
-Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c
-===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:53.432285750 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:55.496414750 +0200
-@@ -332,6 +332,13 @@
- * too. */
- ip_ct_remove_expectations(ct);
-
-+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(ct->layer7.app_proto)
-+ kfree(ct->layer7.app_proto);
-+ if(ct->layer7.app_data)
-+ kfree(ct->layer7.app_data);
-+ #endif
-+
- /* We overload first tuple to link into unconfirmed list. */
- if (!is_confirmed(ct)) {
- BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c
-===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:53.440286250 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:55.544417750 +0200
-@@ -188,6 +188,12 @@
- return -ENOSPC;
- #endif
-
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(conntrack->layer7.app_proto)
-+ if (seq_printf(s, "l7proto=%s ",conntrack->layer7.app_proto))
-+ return 1;
-+#endif
-+
- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
- return -ENOSPC;
-
-Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200
-@@ -0,0 +1,583 @@
-+/*
-+ Kernel module to match application layer (OSI layer 7) data in connections.
-+
-+ http://l7-filter.sf.net
-+
-+ By Matthew Strait and Ethan Sommer, 2003-2006.
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+
-+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
-+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
-+
-+ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack
-+*/
-+
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/proc_fs.h>
-+#include <linux/ctype.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/netfilter/nf_conntrack.h>
-+#include <net/netfilter/nf_nat_rule.h>
-+#include <linux/spinlock.h>
-+
-+#include "regexp/regexp.c"
-+
-+#include <linux/netfilter_ipv4/ipt_layer7.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+
-+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
-+MODULE_LICENSE("GPL");
-+MODULE_DESCRIPTION("iptables application layer match module");
-+MODULE_VERSION("2.0");
-+
-+static int maxdatalen = 2048; // this is the default
-+module_param(maxdatalen, int, 0444);
-+MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
-+
-+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+ #define DPRINTK(format,args...) printk(format,##args)
-+#else
-+ #define DPRINTK(format,args...)
-+#endif
-+
-+#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
-+ master_conntrack->counters[IP_CT_DIR_REPLY].packets
-+
-+/* Number of packets whose data we look at.
-+This can be modified through /proc/net/layer7_numpackets */
-+static int num_packets = 10;
-+
-+static struct pattern_cache {
-+ char * regex_string;
-+ regexp * pattern;
-+ struct pattern_cache * next;
-+} * first_pattern_cache = NULL;
-+
-+/* I'm new to locking. Here are my assumptions:
-+
-+- No one will write to /proc/net/layer7_numpackets over and over very fast;
-+ if they did, nothing awful would happen.
-+
-+- This code will never be processing the same packet twice at the same time,
-+ because iptables rules are traversed in order.
-+
-+- It doesn't matter if two packets from different connections are in here at
-+ the same time, because they don't share any data.
-+
-+- It _does_ matter if two packets from the same connection (or one from a
-+ master and one from its child) are here at the same time. In this case,
-+ we have to protect the conntracks and the list of compiled patterns.
-+*/
-+DEFINE_RWLOCK(ct_lock);
-+DEFINE_SPINLOCK(list_lock);
-+
-+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+/* Converts an unfriendly string into a friendly one by
-+replacing unprintables with periods and all whitespace with " ". */
-+static char * friendly_print(unsigned char * s)
-+{
-+ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
-+ int i;
-+
-+ if(!f) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n");
-+ return NULL;
-+ }
-+
-+ for(i = 0; i < strlen(s); i++){
-+ if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
-+ else if(isspace(s[i])) f[i] = ' ';
-+ else f[i] = '.';
-+ }
-+ f[i] = '\0';
-+ return f;
-+}
-+
-+static char dec2hex(int i)
-+{
-+ switch (i) {
-+ case 0 ... 9:
-+ return (char)(i + '0');
-+ break;
-+ case 10 ... 15:
-+ return (char)(i - 10 + 'a');
-+ break;
-+ default:
-+ if (net_ratelimit())
-+ printk("Problem in dec2hex\n");
-+ return '\0';
-+ }
-+}
-+
-+static char * hex_print(unsigned char * s)
-+{
-+ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
-+ int i;
-+
-+ if(!g) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n");
-+ return NULL;
-+ }
-+
-+ for(i = 0; i < strlen(s); i++) {
-+ g[i*3 ] = dec2hex(s[i]/16);
-+ g[i*3 + 1] = dec2hex(s[i]%16);
-+ g[i*3 + 2] = ' ';
-+ }
-+ g[i*3] = '\0';
-+
-+ return g;
-+}
-+#endif // DEBUG
-+
-+/* Use instead of regcomp. As we expect to be seeing the same regexps over and
-+over again, it make sense to cache the results. */
-+static regexp * compile_and_cache(char * regex_string, char * protocol)
-+{
-+ struct pattern_cache * node = first_pattern_cache;
-+ struct pattern_cache * last_pattern_cache = first_pattern_cache;
-+ struct pattern_cache * tmp;
-+ unsigned int len;
-+
-+ while (node != NULL) {
-+ if (!strcmp(node->regex_string, regex_string))
-+ return node->pattern;
-+
-+ last_pattern_cache = node;/* points at the last non-NULL node */
-+ node = node->next;
-+ }
-+
-+ /* If we reach the end of the list, then we have not yet cached
-+ the pattern for this regex. Let's do that now.
-+ Be paranoid about running out of memory to avoid list corruption. */
-+ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
-+
-+ if(!tmp) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
-+ return NULL;
-+ }
-+
-+ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
-+ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
-+ tmp->next = NULL;
-+
-+ if(!tmp->regex_string || !tmp->pattern) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
-+ kfree(tmp->regex_string);
-+ kfree(tmp->pattern);
-+ kfree(tmp);
-+ return NULL;
-+ }
-+
-+ /* Ok. The new node is all ready now. */
-+ node = tmp;
-+
-+ if(first_pattern_cache == NULL) /* list is empty */
-+ first_pattern_cache = node; /* make node the beginning */
-+ else
-+ last_pattern_cache->next = node; /* attach node to the end */
-+
-+ /* copy the string and compile the regex */
-+ len = strlen(regex_string);
-+ DPRINTK("About to compile this: \"%s\"\n", regex_string);
-+ node->pattern = regcomp(regex_string, &len);
-+ if ( !node->pattern ) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol);
-+ /* pattern is now cached as NULL, so we won't try again. */
-+ }
-+
-+ strcpy(node->regex_string, regex_string);
-+ return node->pattern;
-+}
-+
-+static int can_handle(const struct sk_buff *skb)
-+{
-+ if(!skb->nh.iph) /* not IP */
-+ return 0;
-+ if(skb->nh.iph->protocol != IPPROTO_TCP &&
-+ skb->nh.iph->protocol != IPPROTO_UDP &&
-+ skb->nh.iph->protocol != IPPROTO_ICMP)
-+ return 0;
-+ return 1;
-+}
-+
-+/* Returns offset the into the skb->data that the application data starts */
-+static int app_data_offset(const struct sk_buff *skb)
-+{
-+ /* In case we are ported somewhere (ebtables?) where skb->nh.iph
-+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
-+ int ip_hl = 4*skb->nh.iph->ihl;
-+
-+ if( skb->nh.iph->protocol == IPPROTO_TCP ) {
-+ /* 12 == offset into TCP header for the header length field.
-+ Can't get this with skb->h.th->doff because the tcphdr
-+ struct doesn't get set when routing (this is confirmed to be
-+ true in Netfilter as well as QoS.) */
-+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
-+
-+ return ip_hl + tcp_hl;
-+ } else if( skb->nh.iph->protocol == IPPROTO_UDP ) {
-+ return ip_hl + 8; /* UDP header is always 8 bytes */
-+ } else if( skb->nh.iph->protocol == IPPROTO_ICMP ) {
-+ return ip_hl + 8; /* ICMP header is 8 bytes */
-+ } else {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n");
-+ return ip_hl + 8; /* something reasonable */
-+ }
-+}
-+
-+/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack,
-+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
-+ struct ipt_layer7_info * info)
-+{
-+ /* If we're in here, throw the app data away */
-+ write_lock(&ct_lock);
-+ if(master_conntrack->layer7.app_data != NULL) {
-+
-+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
-+ if(!master_conntrack->layer7.app_proto) {
-+ char * f = friendly_print(master_conntrack->layer7.app_data);
-+ char * g = hex_print(master_conntrack->layer7.app_data);
-+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n",
-+ strlen(f), TOTAL_PACKETS, f);
-+ kfree(f);
-+ DPRINTK("In hex: %s\n", g);
-+ kfree(g);
-+ }
-+ #endif
-+
-+ kfree(master_conntrack->layer7.app_data);
-+ master_conntrack->layer7.app_data = NULL; /* don't free again */
-+ }
-+ write_unlock(&ct_lock);
-+
-+ if(master_conntrack->layer7.app_proto){
-+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */
-+ write_lock(&ct_lock);
-+ if(!conntrack->layer7.app_proto) {
-+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC);
-+ if(!conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
-+ return 1;
-+ }
-+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto);
-+ }
-+ write_unlock(&ct_lock);
-+
-+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol));
-+ }
-+ else {
-+ /* If not classified, set to "unknown" to distinguish from
-+ connections that are still being tested. */
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
-+ return 1;
-+ }
-+ strcpy(master_conntrack->layer7.app_proto, "unknown");
-+ write_unlock(&ct_lock);
-+ return 0;
-+ }
-+}
-+
-+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
-+ char * app_data, int appdatalen)
-+{
-+ int length = 0, i;
-+ int oldlength = master_conntrack->layer7.app_data_len;
-+
-+ // This is a fix for a race condition by Deti Fliegl. However, I'm not
-+ // clear on whether the race condition exists or whether this really
-+ // fixes it. I might just be being dense... Anyway, if it's not really
-+ // a fix, all it does is waste a very small amount of time.
-+ if(!master_conntrack->layer7.app_data) return 0;
-+
-+ /* Strip nulls. Make everything lower case (our regex lib doesn't
-+ do case insensitivity). Add it to the end of the current data. */
-+ for(i = 0; i < maxdatalen-oldlength-1 &&
-+ i < appdatalen; i++) {
-+ if(app_data[i] != '\0') {
-+ master_conntrack->layer7.app_data[length+oldlength] =
-+ /* the kernel version of tolower mungs 'upper ascii' */
-+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
-+ length++;
-+ }
-+ }
-+
-+ master_conntrack->layer7.app_data[length+oldlength] = '\0';
-+ master_conntrack->layer7.app_data_len = length + oldlength;
-+
-+ return length;
-+}
-+
-+/* Returns true on match and false otherwise. */
-+static int match(const struct sk_buff *skbin,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo,
-+ int offset, unsigned int protoff, int *hotdrop)
-+{
-+ /* sidestep const without getting a compiler warning... */
-+ struct sk_buff * skb = (struct sk_buff *)skbin;
-+
-+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
-+ enum ip_conntrack_info master_ctinfo, ctinfo;
-+ struct nf_conn *master_conntrack;
-+ struct ip_conntrack *conntrack;
-+ unsigned char * app_data;
-+ unsigned int pattern_result, appdatalen;
-+ regexp * comppattern;
-+
-+ if(!can_handle(skb)){
-+ DPRINTK("layer7: This is some protocol I can't handle.\n");
-+ return info->invert;
-+ }
-+
-+ /* Treat parent & all its children together as one connection, except
-+ for the purpose of setting conntrack->layer7.app_proto in the actual
-+ connection. This makes /proc/net/ip_conntrack more satisfying. */
-+ if(((conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) == NULL) ||
-+ ((master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) {
-+ return info->invert;
-+ }
-+
-+ /* Try to get a master conntrack (and its master etc) for FTP, etc. */
-+ while (master_ct(master_conntrack) != NULL)
-+ master_conntrack = master_ct(master_conntrack);
-+
-+ /* if we've classified it or seen too many packets */
-+ if(TOTAL_PACKETS > num_packets ||
-+ master_conntrack->layer7.app_proto) {
-+
-+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
-+
-+ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7
-+ rules. I'm not sure that using cb for this purpose is correct, even though
-+ it says "put your private variables there". But it doesn't look like it
-+ is being used for anything else in the skbs that make it here. */
-+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
-+
-+ return (pattern_result ^ info->invert);
-+ }
-+
-+ if(skb_is_nonlinear(skb)){
-+ if(skb_linearize(skb) != 0){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
-+ return info->invert;
-+ }
-+ }
-+
-+ /* now that the skb is linearized, it's safe to set these. */
-+ app_data = skb->data + app_data_offset(skb);
-+ appdatalen = skb->tail - app_data;
-+
-+ spin_lock_bh(&list_lock);
-+ /* the return value gets checked later, when we're ready to use it */
-+ comppattern = compile_and_cache(info->pattern, info->protocol);
-+ spin_unlock_bh(&list_lock);
-+
-+ /* On the first packet of a connection, allocate space for app data */
-+ write_lock(&ct_lock);
-+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
-+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_data){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ write_unlock(&ct_lock);
-+ return info->invert;
-+ }
-+
-+ master_conntrack->layer7.app_data[0] = '\0';
-+ }
-+ write_unlock(&ct_lock);
-+
-+ /* Can be here, but unallocated, if numpackets is increased near
-+ the beginning of a connection */
-+ if(master_conntrack->layer7.app_data == NULL)
-+ return (info->invert); /* unmatched */
-+
-+ if(!skb->cb[0]){
-+ int newbytes;
-+ write_lock(&ct_lock);
-+ newbytes = add_data(master_conntrack, app_data, appdatalen);
-+ write_unlock(&ct_lock);
-+
-+ if(newbytes == 0) { /* didn't add any data */
-+ skb->cb[0] = 1;
-+ /* Didn't match before, not going to match now */
-+ return info->invert;
-+ }
-+ }
-+
-+ /* If looking for "unknown", then never match. "Unknown" means that
-+ we've given up; we're still trying with these packets. */
-+ read_lock(&ct_lock);
-+ if(!strcmp(info->protocol, "unknown")) {
-+ pattern_result = 0;
-+ /* If looking for "unset", then always match. "Unset" means that we
-+ haven't yet classified the connection. */
-+ } else if(!strcmp(info->protocol, "unset")) {
-+ pattern_result = 2;
-+ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets);
-+ /* If the regexp failed to compile, don't bother running it */
-+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
-+ DPRINTK("layer7: matched %s\n", info->protocol);
-+ pattern_result = 1;
-+ } else pattern_result = 0;
-+ read_unlock(&ct_lock);
-+
-+ if(pattern_result == 1) {
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ write_unlock(&ct_lock);
-+ return (pattern_result ^ info->invert);
-+ }
-+ strcpy(master_conntrack->layer7.app_proto, info->protocol);
-+ write_unlock(&ct_lock);
-+ } else if(pattern_result > 1) { /* cleanup from "unset" */
-+ pattern_result = 1;
-+ }
-+
-+ /* mark the packet seen */
-+ skb->cb[0] = 1;
-+
-+ return (pattern_result ^ info->invert);
-+}
-+
-+static struct xt_match layer7_match = {
-+ .name = "layer7",
-+ .match = &match,
-+ .matchsize = sizeof(struct ipt_layer7_info),
-+ .family = AF_INET,
-+ .me = THIS_MODULE
-+};
-+
-+/* taken from drivers/video/modedb.c */
-+static int my_atoi(const char *s)
-+{
-+ int val = 0;
-+
-+ for (;; s++) {
-+ switch (*s) {
-+ case '0'...'9':
-+ val = 10*val+(*s-'0');
-+ break;
-+ default:
-+ return val;
-+ }
-+ }
-+}
-+
-+/* write out num_packets to userland. */
-+static int layer7_read_proc(char* page, char ** start, off_t off, int count,
-+ int* eof, void * data)
-+{
-+ if(num_packets > 99 && net_ratelimit())
-+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
-+
-+ page[0] = num_packets/10 + '0';
-+ page[1] = num_packets%10 + '0';
-+ page[2] = '\n';
-+ page[3] = '\0';
-+
-+ *eof=1;
-+
-+ return 3;
-+}
-+
-+/* Read in num_packets from userland */
-+static int layer7_write_proc(struct file* file, const char* buffer,
-+ unsigned long count, void *data)
-+{
-+ char * foo = kmalloc(count, GFP_ATOMIC);
-+
-+ if(!foo){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n");
-+ return count;
-+ }
-+
-+ if(copy_from_user(foo, buffer, count)) {
-+ return -EFAULT;
-+ }
-+
-+
-+ num_packets = my_atoi(foo);
-+ kfree (foo);
-+
-+ /* This has an arbitrary limit to make the math easier. I'm lazy.
-+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
-+ if(num_packets > 99) {
-+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
-+ num_packets = 99;
-+ } else if(num_packets < 1) {
-+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
-+ num_packets = 1;
-+ }
-+
-+ return count;
-+}
-+
-+/* register the proc file */
-+static void layer7_init_proc(void)
-+{
-+ struct proc_dir_entry* entry;
-+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+ entry->read_proc = layer7_read_proc;
-+ entry->write_proc = layer7_write_proc;
-+}
-+
-+static void layer7_cleanup_proc(void)
-+{
-+ remove_proc_entry("layer7_numpackets", proc_net);
-+}
-+
-+static int __init ipt_layer7_init(void)
-+{
-+ need_conntrack();
-+
-+ layer7_init_proc();
-+ if(maxdatalen < 1) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
-+ maxdatalen = 1;
-+ }
-+ /* This is not a hard limit. It's just here to prevent people from
-+ bringing their slow machines to a grinding halt. */
-+ else if(maxdatalen > 65536) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
-+ maxdatalen = 65536;
-+ }
-+ return xt_register_match(&layer7_match);
-+}
-+
-+static void __exit ipt_layer7_fini(void)
-+{
-+ layer7_cleanup_proc();
-+ xt_unregister_match(&layer7_match);
-+}
-+
-+module_init(ipt_layer7_init);
-+module_exit(ipt_layer7_fini);
-Index: linux-2.6.21.5/net/ipv4/netfilter/Kconfig
-===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/Kconfig 2007-07-02 00:37:53.456287250 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/Kconfig 2007-07-02 01:21:17.231013000 +0200
-@@ -245,6 +245,24 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config IP_NF_MATCH_LAYER7
-+ tristate "Layer 7 match support (EXPERIMENTAL)"
-+ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
-+ help
-+ Say Y if you want to be able to classify connections (and their
-+ packets) based on regular expression matching of their application
-+ layer data. This is one way to classify applications such as
-+ peer-to-peer filesharing systems that do not always use the same
-+ port.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
-+config IP_NF_MATCH_LAYER7_DEBUG
-+ bool "Layer 7 debugging output"
-+ depends on IP_NF_MATCH_LAYER7
-+ help
-+ Say Y to get lots of debugging output.
-+
- config IP_NF_MATCH_TOS
- tristate "TOS match support"
- depends on IP_NF_IPTABLES
-Index: linux-2.6.21.5/net/ipv4/netfilter/Makefile
-===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/Makefile 2007-07-02 00:37:53.464287750 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/Makefile 2007-07-02 00:43:58.191081750 +0200
-@@ -92,6 +92,8 @@
- obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
- obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
-
-+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
-+
- # targets
- obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
- obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
-Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 00:37:55.648424250 +0200
-@@ -0,0 +1,1197 @@
-+/*
-+ * regcomp and regexec -- regsub and regerror are elsewhere
-+ * @(#)regexp.c 1.3 of 18 April 87
-+ *
-+ * Copyright (c) 1986 by University of Toronto.
-+ * Written by Henry Spencer. Not derived from licensed software.
-+ *
-+ * Permission is granted to anyone to use this software for any
-+ * purpose on any computer system, and to redistribute it freely,
-+ * subject to the following restrictions:
-+ *
-+ * 1. The author is not responsible for the consequences of use of
-+ * this software, no matter how awful, even if they arise
-+ * from defects in it.
-+ *
-+ * 2. The origin of this software must not be misrepresented, either
-+ * by explicit claim or by omission.
-+ *
-+ * 3. Altered versions must be plainly marked as such, and must not
-+ * be misrepresented as being the original software.
-+ *
-+ * Beware that some of this code is subtly aware of the way operator
-+ * precedence is structured in regular expressions. Serious changes in
-+ * regular-expression syntax might require a total rethink.
-+ *
-+ * This code was modified by Ethan Sommer to work within the kernel
-+ * (it now uses kmalloc etc..)
-+ *
-+ * Modified slightly by Matthew Strait to use more modern C.
-+ */
-+
-+#include "regexp.h"
-+#include "regmagic.h"
-+
-+/* added by ethan and matt. Lets it work in both kernel and user space.
-+(So iptables can use it, for instance.) Yea, it goes both ways... */
-+#if __KERNEL__
-+ #define malloc(foo) kmalloc(foo,GFP_ATOMIC)
-+#else
-+ #define printk(format,args...) printf(format,##args)
-+#endif
-+
-+void regerror(char * s)
-+{
-+ printk("<3>Regexp: %s\n", s);
-+ /* NOTREACHED */
-+}
-+
-+/*
-+ * The "internal use only" fields in regexp.h are present to pass info from
-+ * compile to execute that permits the execute phase to run lots faster on
-+ * simple cases. They are:
-+ *
-+ * regstart char that must begin a match; '\0' if none obvious
-+ * reganch is the match anchored (at beginning-of-line only)?
-+ * regmust string (pointer into program) that match must include, or NULL
-+ * regmlen length of regmust string
-+ *
-+ * Regstart and reganch permit very fast decisions on suitable starting points
-+ * for a match, cutting down the work a lot. Regmust permits fast rejection
-+ * of lines that cannot possibly match. The regmust tests are costly enough
-+ * that regcomp() supplies a regmust only if the r.e. contains something
-+ * potentially expensive (at present, the only such thing detected is * or +
-+ * at the start of the r.e., which can involve a lot of backup). Regmlen is
-+ * supplied because the test in regexec() needs it and regcomp() is computing
-+ * it anyway.
-+ */
-+
-+/*
-+ * Structure for regexp "program". This is essentially a linear encoding
-+ * of a nondeterministic finite-state machine (aka syntax charts or
-+ * "railroad normal form" in parsing technology). Each node is an opcode
-+ * plus a "next" pointer, possibly plus an operand. "Next" pointers of
-+ * all nodes except BRANCH implement concatenation; a "next" pointer with
-+ * a BRANCH on both ends of it is connecting two alternatives. (Here we
-+ * have one of the subtle syntax dependencies: an individual BRANCH (as
-+ * opposed to a collection of them) is never concatenated with anything
-+ * because of operator precedence.) The operand of some types of node is
-+ * a literal string; for others, it is a node leading into a sub-FSM. In
-+ * particular, the operand of a BRANCH node is the first node of the branch.
-+ * (NB this is *not* a tree structure: the tail of the branch connects
-+ * to the thing following the set of BRANCHes.) The opcodes are:
-+ */
-+
-+/* definition number opnd? meaning */
-+#define END 0 /* no End of program. */
-+#define BOL 1 /* no Match "" at beginning of line. */
-+#define EOL 2 /* no Match "" at end of line. */
-+#define ANY 3 /* no Match any one character. */
-+#define ANYOF 4 /* str Match any character in this string. */
-+#define ANYBUT 5 /* str Match any character not in this string. */
-+#define BRANCH 6 /* node Match this alternative, or the next... */
-+#define BACK 7 /* no Match "", "next" ptr points backward. */
-+#define EXACTLY 8 /* str Match this string. */
-+#define NOTHING 9 /* no Match empty string. */
-+#define STAR 10 /* node Match this (simple) thing 0 or more times. */
-+#define PLUS 11 /* node Match this (simple) thing 1 or more times. */
-+#define OPEN 20 /* no Mark this point in input as start of #n. */
-+ /* OPEN+1 is number 1, etc. */
-+#define CLOSE 30 /* no Analogous to OPEN. */
-+
-+/*
-+ * Opcode notes:
-+ *
-+ * BRANCH The set of branches constituting a single choice are hooked
-+ * together with their "next" pointers, since precedence prevents
-+ * anything being concatenated to any individual branch. The
-+ * "next" pointer of the last BRANCH in a choice points to the
-+ * thing following the whole choice. This is also where the
-+ * final "next" pointer of each individual branch points; each
-+ * branch starts with the operand node of a BRANCH node.
-+ *
-+ * BACK Normal "next" pointers all implicitly point forward; BACK
-+ * exists to make loop structures possible.
-+ *
-+ * STAR,PLUS '?', and complex '*' and '+', are implemented as circular
-+ * BRANCH structures using BACK. Simple cases (one character
-+ * per match) are implemented with STAR and PLUS for speed
-+ * and to minimize recursive plunges.
-+ *
-+ * OPEN,CLOSE ...are numbered at compile time.
-+ */
-+
-+/*
-+ * A node is one char of opcode followed by two chars of "next" pointer.
-+ * "Next" pointers are stored as two 8-bit pieces, high order first. The
-+ * value is a positive offset from the opcode of the node containing it.
-+ * An operand, if any, simply follows the node. (Note that much of the
-+ * code generation knows about this implicit relationship.)
-+ *
-+ * Using two bytes for the "next" pointer is vast overkill for most things,
-+ * but allows patterns to get big without disasters.
-+ */
-+#define OP(p) (*(p))
-+#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377))
-+#define OPERAND(p) ((p) + 3)
-+
-+/*
-+ * See regmagic.h for one further detail of program structure.
-+ */
-+
-+
-+/*
-+ * Utility definitions.
-+ */
-+#ifndef CHARBITS
-+#define UCHARAT(p) ((int)*(unsigned char *)(p))
-+#else
-+#define UCHARAT(p) ((int)*(p)&CHARBITS)
-+#endif
-+
-+#define FAIL(m) { regerror(m); return(NULL); }
-+#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?')
-+#define META "^$.[()|?+*\\"
-+
-+/*
-+ * Flags to be passed up and down.
-+ */
-+#define HASWIDTH 01 /* Known never to match null string. */
-+#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */
-+#define SPSTART 04 /* Starts with * or +. */
-+#define WORST 0 /* Worst case. */
-+
-+/*
-+ * Global work variables for regcomp().
-+ */
-+struct match_globals {
-+char *reginput; /* String-input pointer. */
-+char *regbol; /* Beginning of input, for ^ check. */
-+char **regstartp; /* Pointer to startp array. */
-+char **regendp; /* Ditto for endp. */
-+char *regparse; /* Input-scan pointer. */
-+int regnpar; /* () count. */
-+char regdummy;
-+char *regcode; /* Code-emit pointer; ®dummy = don't. */
-+long regsize; /* Code size. */
-+};
-+
-+/*
-+ * Forward declarations for regcomp()'s friends.
-+ */
-+#ifndef STATIC
-+#define STATIC static
-+#endif
-+STATIC char *reg(struct match_globals *g, int paren,int *flagp);
-+STATIC char *regbranch(struct match_globals *g, int *flagp);
-+STATIC char *regpiece(struct match_globals *g, int *flagp);
-+STATIC char *regatom(struct match_globals *g, int *flagp);
-+STATIC char *regnode(struct match_globals *g, char op);
-+STATIC char *regnext(struct match_globals *g, char *p);
-+STATIC void regc(struct match_globals *g, char b);
-+STATIC void reginsert(struct match_globals *g, char op, char *opnd);
-+STATIC void regtail(struct match_globals *g, char *p, char *val);
-+STATIC void regoptail(struct match_globals *g, char *p, char *val);
-+
-+
-+__kernel_size_t my_strcspn(const char *s1,const char *s2)
-+{
-+ char *scan1;
-+ char *scan2;
-+ int count;
-+
-+ count = 0;
-+ for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) {
-+ for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */
-+ if (*scan1 == *scan2++)
-+ return(count);
-+ count++;
-+ }
-+ return(count);
-+}
-+
-+/*
-+ - regcomp - compile a regular expression into internal code
-+ *
-+ * We can't allocate space until we know how big the compiled form will be,
-+ * but we can't compile it (and thus know how big it is) until we've got a
-+ * place to put the code. So we cheat: we compile it twice, once with code
-+ * generation turned off and size counting turned on, and once "for real".
-+ * This also means that we don't allocate space until we are sure that the
-+ * thing really will compile successfully, and we never have to move the
-+ * code and thus invalidate pointers into it. (Note that it has to be in
-+ * one piece because free() must be able to free it all.)
-+ *
-+ * Beware that the optimization-preparation code in here knows about some
-+ * of the structure of the compiled regexp.
-+ */
-+regexp *
-+regcomp(char *exp,int *patternsize)
-+{
-+ register regexp *r;
-+ register char *scan;
-+ register char *longest;
-+ register int len;
-+ int flags;
-+ struct match_globals g;
-+
-+ /* commented out by ethan
-+ extern char *malloc();
-+ */
-+
-+ if (exp == NULL)
-+ FAIL("NULL argument");
-+
-+ /* First pass: determine size, legality. */
-+ g.regparse = exp;
-+ g.regnpar = 1;
-+ g.regsize = 0L;
-+ g.regcode = &g.regdummy;
-+ regc(&g, MAGIC);
-+ if (reg(&g, 0, &flags) == NULL)
-+ return(NULL);
-+
-+ /* Small enough for pointer-storage convention? */
-+ if (g.regsize >= 32767L) /* Probably could be 65535L. */
-+ FAIL("regexp too big");
-+
-+ /* Allocate space. */
-+ *patternsize=sizeof(regexp) + (unsigned)g.regsize;
-+ r = (regexp *)malloc(sizeof(regexp) + (unsigned)g.regsize);
-+ if (r == NULL)
-+ FAIL("out of space");
-+
-+ /* Second pass: emit code. */
-+ g.regparse = exp;
-+ g.regnpar = 1;
-+ g.regcode = r->program;
-+ regc(&g, MAGIC);
-+ if (reg(&g, 0, &flags) == NULL)
-+ return(NULL);
-+
-+ /* Dig out information for optimizations. */
-+ r->regstart = '\0'; /* Worst-case defaults. */
-+ r->reganch = 0;
-+ r->regmust = NULL;
-+ r->regmlen = 0;
-+ scan = r->program+1; /* First BRANCH. */
-+ if (OP(regnext(&g, scan)) == END) { /* Only one top-level choice. */
-+ scan = OPERAND(scan);
-+
-+ /* Starting-point info. */
-+ if (OP(scan) == EXACTLY)
-+ r->regstart = *OPERAND(scan);
-+ else if (OP(scan) == BOL)
-+ r->reganch++;
-+
-+ /*
-+ * If there's something expensive in the r.e., find the
-+ * longest literal string that must appear and make it the
-+ * regmust. Resolve ties in favor of later strings, since
-+ * the regstart check works with the beginning of the r.e.
-+ * and avoiding duplication strengthens checking. Not a
-+ * strong reason, but sufficient in the absence of others.
-+ */
-+ if (flags&SPSTART) {
-+ longest = NULL;
-+ len = 0;
-+ for (; scan != NULL; scan = regnext(&g, scan))
-+ if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) {
-+ longest = OPERAND(scan);
-+ len = strlen(OPERAND(scan));
-+ }
-+ r->regmust = longest;
-+ r->regmlen = len;
-+ }
-+ }
-+
-+ return(r);
-+}
-+
-+/*
-+ - reg - regular expression, i.e. main body or parenthesized thing
-+ *
-+ * Caller must absorb opening parenthesis.
-+ *
-+ * Combining parenthesis handling with the base level of regular expression
-+ * is a trifle forced, but the need to tie the tails of the branches to what
-+ * follows makes it hard to avoid.
-+ */
-+static char *
-+reg(struct match_globals *g, int paren, int *flagp /* Parenthesized? */ )
-+{
-+ register char *ret;
-+ register char *br;
-+ register char *ender;
-+ register int parno = 0; /* 0 makes gcc happy */
-+ int flags;
-+
-+ *flagp = HASWIDTH; /* Tentatively. */
-+
-+ /* Make an OPEN node, if parenthesized. */
-+ if (paren) {
-+ if (g->regnpar >= NSUBEXP)
-+ FAIL("too many ()");
-+ parno = g->regnpar;
-+ g->regnpar++;
-+ ret = regnode(g, OPEN+parno);
-+ } else
-+ ret = NULL;
-+
-+ /* Pick up the branches, linking them together. */
-+ br = regbranch(g, &flags);
-+ if (br == NULL)
-+ return(NULL);
-+ if (ret != NULL)
-+ regtail(g, ret, br); /* OPEN -> first. */
-+ else
-+ ret = br;
-+ if (!(flags&HASWIDTH))
-+ *flagp &= ~HASWIDTH;
-+ *flagp |= flags&SPSTART;
-+ while (*g->regparse == '|') {
-+ g->regparse++;
-+ br = regbranch(g, &flags);
-+ if (br == NULL)
-+ return(NULL);
-+ regtail(g, ret, br); /* BRANCH -> BRANCH. */
-+ if (!(flags&HASWIDTH))
-+ *flagp &= ~HASWIDTH;
-+ *flagp |= flags&SPSTART;
-+ }
-+
-+ /* Make a closing node, and hook it on the end. */
-+ ender = regnode(g, (paren) ? CLOSE+parno : END);
-+ regtail(g, ret, ender);
-+
-+ /* Hook the tails of the branches to the closing node. */
-+ for (br = ret; br != NULL; br = regnext(g, br))
-+ regoptail(g, br, ender);
-+
-+ /* Check for proper termination. */
-+ if (paren && *g->regparse++ != ')') {
-+ FAIL("unmatched ()");
-+ } else if (!paren && *g->regparse != '\0') {
-+ if (*g->regparse == ')') {
-+ FAIL("unmatched ()");
-+ } else
-+ FAIL("junk on end"); /* "Can't happen". */
-+ /* NOTREACHED */
-+ }
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regbranch - one alternative of an | operator
-+ *
-+ * Implements the concatenation operator.
-+ */
-+static char *
-+regbranch(struct match_globals *g, int *flagp)
-+{
-+ register char *ret;
-+ register char *chain;
-+ register char *latest;
-+ int flags;
-+
-+ *flagp = WORST; /* Tentatively. */
-+
-+ ret = regnode(g, BRANCH);
-+ chain = NULL;
-+ while (*g->regparse != '\0' && *g->regparse != '|' && *g->regparse != ')') {
-+ latest = regpiece(g, &flags);
-+ if (latest == NULL)
-+ return(NULL);
-+ *flagp |= flags&HASWIDTH;
-+ if (chain == NULL) /* First piece. */
-+ *flagp |= flags&SPSTART;
-+ else
-+ regtail(g, chain, latest);
-+ chain = latest;
-+ }
-+ if (chain == NULL) /* Loop ran zero times. */
-+ (void) regnode(g, NOTHING);
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regpiece - something followed by possible [*+?]
-+ *
-+ * Note that the branching code sequences used for ? and the general cases
-+ * of * and + are somewhat optimized: they use the same NOTHING node as
-+ * both the endmarker for their branch list and the body of the last branch.
-+ * It might seem that this node could be dispensed with entirely, but the
-+ * endmarker role is not redundant.
-+ */
-+static char *
-+regpiece(struct match_globals *g, int *flagp)
-+{
-+ register char *ret;
-+ register char op;
-+ register char *next;
-+ int flags;
-+
-+ ret = regatom(g, &flags);
-+ if (ret == NULL)
-+ return(NULL);
-+
-+ op = *g->regparse;
-+ if (!ISMULT(op)) {
-+ *flagp = flags;
-+ return(ret);
-+ }
-+
-+ if (!(flags&HASWIDTH) && op != '?')
-+ FAIL("*+ operand could be empty");
-+ *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH);
-+
-+ if (op == '*' && (flags&SIMPLE))
-+ reginsert(g, STAR, ret);
-+ else if (op == '*') {
-+ /* Emit x* as (x&|), where & means "self". */
-+ reginsert(g, BRANCH, ret); /* Either x */
-+ regoptail(g, ret, regnode(g, BACK)); /* and loop */
-+ regoptail(g, ret, ret); /* back */
-+ regtail(g, ret, regnode(g, BRANCH)); /* or */
-+ regtail(g, ret, regnode(g, NOTHING)); /* null. */
-+ } else if (op == '+' && (flags&SIMPLE))
-+ reginsert(g, PLUS, ret);
-+ else if (op == '+') {
-+ /* Emit x+ as x(&|), where & means "self". */
-+ next = regnode(g, BRANCH); /* Either */
-+ regtail(g, ret, next);
-+ regtail(g, regnode(g, BACK), ret); /* loop back */
-+ regtail(g, next, regnode(g, BRANCH)); /* or */
-+ regtail(g, ret, regnode(g, NOTHING)); /* null. */
-+ } else if (op == '?') {
-+ /* Emit x? as (x|) */
-+ reginsert(g, BRANCH, ret); /* Either x */
-+ regtail(g, ret, regnode(g, BRANCH)); /* or */
-+ next = regnode(g, NOTHING); /* null. */
-+ regtail(g, ret, next);
-+ regoptail(g, ret, next);
-+ }
-+ g->regparse++;
-+ if (ISMULT(*g->regparse))
-+ FAIL("nested *?+");
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regatom - the lowest level
-+ *
-+ * Optimization: gobbles an entire sequence of ordinary characters so that
-+ * it can turn them into a single node, which is smaller to store and
-+ * faster to run. Backslashed characters are exceptions, each becoming a
-+ * separate node; the code is simpler that way and it's not worth fixing.
-+ */
-+static char *
-+regatom(struct match_globals *g, int *flagp)
-+{
-+ register char *ret;
-+ int flags;
-+
-+ *flagp = WORST; /* Tentatively. */
-+
-+ switch (*g->regparse++) {
-+ case '^':
-+ ret = regnode(g, BOL);
-+ break;
-+ case '$':
-+ ret = regnode(g, EOL);
-+ break;
-+ case '.':
-+ ret = regnode(g, ANY);
-+ *flagp |= HASWIDTH|SIMPLE;
-+ break;
-+ case '[': {
-+ register int class;
-+ register int classend;
-+
-+ if (*g->regparse == '^') { /* Complement of range. */
-+ ret = regnode(g, ANYBUT);
-+ g->regparse++;
-+ } else
-+ ret = regnode(g, ANYOF);
-+ if (*g->regparse == ']' || *g->regparse == '-')
-+ regc(g, *g->regparse++);
-+ while (*g->regparse != '\0' && *g->regparse != ']') {
-+ if (*g->regparse == '-') {
-+ g->regparse++;
-+ if (*g->regparse == ']' || *g->regparse == '\0')
-+ regc(g, '-');
-+ else {
-+ class = UCHARAT(g->regparse-2)+1;
-+ classend = UCHARAT(g->regparse);
-+ if (class > classend+1)
-+ FAIL("invalid [] range");
-+ for (; class <= classend; class++)
-+ regc(g, class);
-+ g->regparse++;
-+ }
-+ } else
-+ regc(g, *g->regparse++);
-+ }
-+ regc(g, '\0');
-+ if (*g->regparse != ']')
-+ FAIL("unmatched []");
-+ g->regparse++;
-+ *flagp |= HASWIDTH|SIMPLE;
-+ }
-+ break;
-+ case '(':
-+ ret = reg(g, 1, &flags);
-+ if (ret == NULL)
-+ return(NULL);
-+ *flagp |= flags&(HASWIDTH|SPSTART);
-+ break;
-+ case '\0':
-+ case '|':
-+ case ')':
-+ FAIL("internal urp"); /* Supposed to be caught earlier. */
-+ break;
-+ case '?':
-+ case '+':
-+ case '*':
-+ FAIL("?+* follows nothing");
-+ break;
-+ case '\\':
-+ if (*g->regparse == '\0')
-+ FAIL("trailing \\");
-+ ret = regnode(g, EXACTLY);
-+ regc(g, *g->regparse++);
-+ regc(g, '\0');
-+ *flagp |= HASWIDTH|SIMPLE;
-+ break;
-+ default: {
-+ register int len;
-+ register char ender;
-+
-+ g->regparse--;
-+ len = my_strcspn((const char *)g->regparse, (const char *)META);
-+ if (len <= 0)
-+ FAIL("internal disaster");
-+ ender = *(g->regparse+len);
-+ if (len > 1 && ISMULT(ender))
-+ len--; /* Back off clear of ?+* operand. */
-+ *flagp |= HASWIDTH;
-+ if (len == 1)
-+ *flagp |= SIMPLE;
-+ ret = regnode(g, EXACTLY);
-+ while (len > 0) {
-+ regc(g, *g->regparse++);
-+ len--;
-+ }
-+ regc(g, '\0');
-+ }
-+ break;
-+ }
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regnode - emit a node
-+ */
-+static char * /* Location. */
-+regnode(struct match_globals *g, char op)
-+{
-+ register char *ret;
-+ register char *ptr;
-+
-+ ret = g->regcode;
-+ if (ret == &g->regdummy) {
-+ g->regsize += 3;
-+ return(ret);
-+ }
-+
-+ ptr = ret;
-+ *ptr++ = op;
-+ *ptr++ = '\0'; /* Null "next" pointer. */
-+ *ptr++ = '\0';
-+ g->regcode = ptr;
-+
-+ return(ret);
-+}
-+
-+/*
-+ - regc - emit (if appropriate) a byte of code
-+ */
-+static void
-+regc(struct match_globals *g, char b)
-+{
-+ if (g->regcode != &g->regdummy)
-+ *g->regcode++ = b;
-+ else
-+ g->regsize++;
-+}
-+
-+/*
-+ - reginsert - insert an operator in front of already-emitted operand
-+ *
-+ * Means relocating the operand.
-+ */
-+static void
-+reginsert(struct match_globals *g, char op, char* opnd)
-+{
-+ register char *src;
-+ register char *dst;
-+ register char *place;
-+
-+ if (g->regcode == &g->regdummy) {
-+ g->regsize += 3;
-+ return;
-+ }
-+
-+ src = g->regcode;
-+ g->regcode += 3;
-+ dst = g->regcode;
-+ while (src > opnd)
-+ *--dst = *--src;
-+
-+ place = opnd; /* Op node, where operand used to be. */
-+ *place++ = op;
-+ *place++ = '\0';
-+ *place++ = '\0';
-+}
-+
-+/*
-+ - regtail - set the next-pointer at the end of a node chain
-+ */
-+static void
-+regtail(struct match_globals *g, char *p, char *val)
-+{
-+ register char *scan;
-+ register char *temp;
-+ register int offset;
-+
-+ if (p == &g->regdummy)
-+ return;
-+
-+ /* Find last node. */
-+ scan = p;
-+ for (;;) {
-+ temp = regnext(g, scan);
-+ if (temp == NULL)
-+ break;
-+ scan = temp;
-+ }
-+
-+ if (OP(scan) == BACK)
-+ offset = scan - val;
-+ else
-+ offset = val - scan;
-+ *(scan+1) = (offset>>8)&0377;
-+ *(scan+2) = offset&0377;
-+}
-+
-+/*
-+ - regoptail - regtail on operand of first argument; nop if operandless
-+ */
-+static void
-+regoptail(struct match_globals *g, char *p, char *val)
-+{
-+ /* "Operandless" and "op != BRANCH" are synonymous in practice. */
-+ if (p == NULL || p == &g->regdummy || OP(p) != BRANCH)
-+ return;
-+ regtail(g, OPERAND(p), val);
-+}
-+
-+/*
-+ * regexec and friends
-+ */
-+
-+
-+/*
-+ * Forwards.
-+ */
-+STATIC int regtry(struct match_globals *g, regexp *prog, char *string);
-+STATIC int regmatch(struct match_globals *g, char *prog);
-+STATIC int regrepeat(struct match_globals *g, char *p);
-+
-+#ifdef DEBUG
-+int regnarrate = 0;
-+void regdump();
-+STATIC char *regprop(char *op);
-+#endif
-+
-+/*
-+ - regexec - match a regexp against a string
-+ */
-+int
-+regexec(regexp *prog, char *string)
-+{
-+ register char *s;
-+ struct match_globals g;
-+
-+ /* Be paranoid... */
-+ if (prog == NULL || string == NULL) {
-+ printk("<3>Regexp: NULL parameter\n");
-+ return(0);
-+ }
-+
-+ /* Check validity of program. */
-+ if (UCHARAT(prog->program) != MAGIC) {
-+ printk("<3>Regexp: corrupted program\n");
-+ return(0);
-+ }
-+
-+ /* If there is a "must appear" string, look for it. */
-+ if (prog->regmust != NULL) {
-+ s = string;
-+ while ((s = strchr(s, prog->regmust[0])) != NULL) {
-+ if (strncmp(s, prog->regmust, prog->regmlen) == 0)
-+ break; /* Found it. */
-+ s++;
-+ }
-+ if (s == NULL) /* Not present. */
-+ return(0);
-+ }
-+
-+ /* Mark beginning of line for ^ . */
-+ g.regbol = string;
-+
-+ /* Simplest case: anchored match need be tried only once. */
-+ if (prog->reganch)
-+ return(regtry(&g, prog, string));
-+
-+ /* Messy cases: unanchored match. */
-+ s = string;
-+ if (prog->regstart != '\0')
-+ /* We know what char it must start with. */
-+ while ((s = strchr(s, prog->regstart)) != NULL) {
-+ if (regtry(&g, prog, s))
-+ return(1);
-+ s++;
-+ }
-+ else
-+ /* We don't -- general case. */
-+ do {
-+ if (regtry(&g, prog, s))
-+ return(1);
-+ } while (*s++ != '\0');
-+
-+ /* Failure. */
-+ return(0);
-+}
-+
-+/*
-+ - regtry - try match at specific point
-+ */
-+static int /* 0 failure, 1 success */
-+regtry(struct match_globals *g, regexp *prog, char *string)
-+{
-+ register int i;
-+ register char **sp;
-+ register char **ep;
-+
-+ g->reginput = string;
-+ g->regstartp = prog->startp;
-+ g->regendp = prog->endp;
-+
-+ sp = prog->startp;
-+ ep = prog->endp;
-+ for (i = NSUBEXP; i > 0; i--) {
-+ *sp++ = NULL;
-+ *ep++ = NULL;
-+ }
-+ if (regmatch(g, prog->program + 1)) {
-+ prog->startp[0] = string;
-+ prog->endp[0] = g->reginput;
-+ return(1);
-+ } else
-+ return(0);
-+}
-+
-+/*
-+ - regmatch - main matching routine
-+ *
-+ * Conceptually the strategy is simple: check to see whether the current
-+ * node matches, call self recursively to see whether the rest matches,
-+ * and then act accordingly. In practice we make some effort to avoid
-+ * recursion, in particular by going through "ordinary" nodes (that don't
-+ * need to know whether the rest of the match failed) by a loop instead of
-+ * by recursion.
-+ */
-+static int /* 0 failure, 1 success */
-+regmatch(struct match_globals *g, char *prog)
-+{
-+ register char *scan = prog; /* Current node. */
-+ char *next; /* Next node. */
-+
-+#ifdef DEBUG
-+ if (scan != NULL && regnarrate)
-+ fprintf(stderr, "%s(\n", regprop(scan));
-+#endif
-+ while (scan != NULL) {
-+#ifdef DEBUG
-+ if (regnarrate)
-+ fprintf(stderr, "%s...\n", regprop(scan));
-+#endif
-+ next = regnext(g, scan);
-+
-+ switch (OP(scan)) {
-+ case BOL:
-+ if (g->reginput != g->regbol)
-+ return(0);
-+ break;
-+ case EOL:
-+ if (*g->reginput != '\0')
-+ return(0);
-+ break;
-+ case ANY:
-+ if (*g->reginput == '\0')
-+ return(0);
-+ g->reginput++;
-+ break;
-+ case EXACTLY: {
-+ register int len;
-+ register char *opnd;
-+
-+ opnd = OPERAND(scan);
-+ /* Inline the first character, for speed. */
-+ if (*opnd != *g->reginput)
-+ return(0);
-+ len = strlen(opnd);
-+ if (len > 1 && strncmp(opnd, g->reginput, len) != 0)
-+ return(0);
-+ g->reginput += len;
-+ }
-+ break;
-+ case ANYOF:
-+ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) == NULL)
-+ return(0);
-+ g->reginput++;
-+ break;
-+ case ANYBUT:
-+ if (*g->reginput == '\0' || strchr(OPERAND(scan), *g->reginput) != NULL)
-+ return(0);
-+ g->reginput++;
-+ break;
-+ case NOTHING:
-+ case BACK:
-+ break;
-+ case OPEN+1:
-+ case OPEN+2:
-+ case OPEN+3:
-+ case OPEN+4:
-+ case OPEN+5:
-+ case OPEN+6:
-+ case OPEN+7:
-+ case OPEN+8:
-+ case OPEN+9: {
-+ register int no;
-+ register char *save;
-+
-+ no = OP(scan) - OPEN;
-+ save = g->reginput;
-+
-+ if (regmatch(g, next)) {
-+ /*
-+ * Don't set startp if some later
-+ * invocation of the same parentheses
-+ * already has.
-+ */
-+ if (g->regstartp[no] == NULL)
-+ g->regstartp[no] = save;
-+ return(1);
-+ } else
-+ return(0);
-+ }
-+ break;
-+ case CLOSE+1:
-+ case CLOSE+2:
-+ case CLOSE+3:
-+ case CLOSE+4:
-+ case CLOSE+5:
-+ case CLOSE+6:
-+ case CLOSE+7:
-+ case CLOSE+8:
-+ case CLOSE+9:
-+ {
-+ register int no;
-+ register char *save;
-+
-+ no = OP(scan) - CLOSE;
-+ save = g->reginput;
-+
-+ if (regmatch(g, next)) {
-+ /*
-+ * Don't set endp if some later
-+ * invocation of the same parentheses
-+ * already has.
-+ */
-+ if (g->regendp[no] == NULL)
-+ g->regendp[no] = save;
-+ return(1);
-+ } else
-+ return(0);
-+ }
-+ break;
-+ case BRANCH: {
-+ register char *save;
-+
-+ if (OP(next) != BRANCH) /* No choice. */
-+ next = OPERAND(scan); /* Avoid recursion. */
-+ else {
-+ do {
-+ save = g->reginput;
-+ if (regmatch(g, OPERAND(scan)))
-+ return(1);
-+ g->reginput = save;
-+ scan = regnext(g, scan);
-+ } while (scan != NULL && OP(scan) == BRANCH);
-+ return(0);
-+ /* NOTREACHED */
-+ }
-+ }
-+ break;
-+ case STAR:
-+ case PLUS: {
-+ register char nextch;
-+ register int no;
-+ register char *save;
-+ register int min;
-+
-+ /*
-+ * Lookahead to avoid useless match attempts
-+ * when we know what character comes next.
-+ */
-+ nextch = '\0';
-+ if (OP(next) == EXACTLY)
-+ nextch = *OPERAND(next);
-+ min = (OP(scan) == STAR) ? 0 : 1;
-+ save = g->reginput;
-+ no = regrepeat(g, OPERAND(scan));
-+ while (no >= min) {
-+ /* If it could work, try it. */
-+ if (nextch == '\0' || *g->reginput == nextch)
-+ if (regmatch(g, next))
-+ return(1);
-+ /* Couldn't or didn't -- back up. */
-+ no--;
-+ g->reginput = save + no;
-+ }
-+ return(0);
-+ }
-+ break;
-+ case END:
-+ return(1); /* Success! */
-+ break;
-+ default:
-+ printk("<3>Regexp: memory corruption\n");
-+ return(0);
-+ break;
-+ }
-+
-+ scan = next;
-+ }
-+
-+ /*
-+ * We get here only if there's trouble -- normally "case END" is
-+ * the terminating point.
-+ */
-+ printk("<3>Regexp: corrupted pointers\n");
-+ return(0);
-+}
-+
-+/*
-+ - regrepeat - repeatedly match something simple, report how many
-+ */
-+static int
-+regrepeat(struct match_globals *g, char *p)
-+{
-+ register int count = 0;
-+ register char *scan;
-+ register char *opnd;
-+
-+ scan = g->reginput;
-+ opnd = OPERAND(p);
-+ switch (OP(p)) {
-+ case ANY:
-+ count = strlen(scan);
-+ scan += count;
-+ break;
-+ case EXACTLY:
-+ while (*opnd == *scan) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ case ANYOF:
-+ while (*scan != '\0' && strchr(opnd, *scan) != NULL) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ case ANYBUT:
-+ while (*scan != '\0' && strchr(opnd, *scan) == NULL) {
-+ count++;
-+ scan++;
-+ }
-+ break;
-+ default: /* Oh dear. Called inappropriately. */
-+ printk("<3>Regexp: internal foulup\n");
-+ count = 0; /* Best compromise. */
-+ break;
-+ }
-+ g->reginput = scan;
-+
-+ return(count);
-+}
-+
-+/*
-+ - regnext - dig the "next" pointer out of a node
-+ */
-+static char*
-+regnext(struct match_globals *g, char *p)
-+{
-+ register int offset;
-+
-+ if (p == &g->regdummy)
-+ return(NULL);
-+
-+ offset = NEXT(p);
-+ if (offset == 0)
-+ return(NULL);
-+
-+ if (OP(p) == BACK)
-+ return(p-offset);
-+ else
-+ return(p+offset);
-+}
-+
-+#ifdef DEBUG
-+
-+STATIC char *regprop();
-+
-+/*
-+ - regdump - dump a regexp onto stdout in vaguely comprehensible form
-+ */
-+void
-+regdump(regexp *r)
-+{
-+ register char *s;
-+ register char op = EXACTLY; /* Arbitrary non-END op. */
-+ register char *next;
-+ /* extern char *strchr(); */
-+
-+
-+ s = r->program + 1;
-+ while (op != END) { /* While that wasn't END last time... */
-+ op = OP(s);
-+ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */
-+ next = regnext(s);
-+ if (next == NULL) /* Next ptr. */
-+ printf("(0)");
-+ else
-+ printf("(%d)", (s-r->program)+(next-s));
-+ s += 3;
-+ if (op == ANYOF || op == ANYBUT || op == EXACTLY) {
-+ /* Literal string, where present. */
-+ while (*s != '\0') {
-+ putchar(*s);
-+ s++;
-+ }
-+ s++;
-+ }
-+ putchar('\n');
-+ }
-+
-+ /* Header fields of interest. */
-+ if (r->regstart != '\0')
-+ printf("start `%c' ", r->regstart);
-+ if (r->reganch)
-+ printf("anchored ");
-+ if (r->regmust != NULL)
-+ printf("must have \"%s\"", r->regmust);
-+ printf("\n");
-+}
-+
-+/*
-+ - regprop - printable representation of opcode
-+ */
-+static char *
-+regprop(char *op)
-+{
-+#define BUFLEN 50
-+ register char *p;
-+ static char buf[BUFLEN];
-+
-+ strcpy(buf, ":");
-+
-+ switch (OP(op)) {
-+ case BOL:
-+ p = "BOL";
-+ break;
-+ case EOL:
-+ p = "EOL";
-+ break;
-+ case ANY:
-+ p = "ANY";
-+ break;
-+ case ANYOF:
-+ p = "ANYOF";
-+ break;
-+ case ANYBUT:
-+ p = "ANYBUT";
-+ break;
-+ case BRANCH:
-+ p = "BRANCH";
-+ break;
-+ case EXACTLY:
-+ p = "EXACTLY";
-+ break;
-+ case NOTHING:
-+ p = "NOTHING";
-+ break;
-+ case BACK:
-+ p = "BACK";
-+ break;
-+ case END:
-+ p = "END";
-+ break;
-+ case OPEN+1:
-+ case OPEN+2:
-+ case OPEN+3:
-+ case OPEN+4:
-+ case OPEN+5:
-+ case OPEN+6:
-+ case OPEN+7:
-+ case OPEN+8:
-+ case OPEN+9:
-+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN);
-+ p = NULL;
-+ break;
-+ case CLOSE+1:
-+ case CLOSE+2:
-+ case CLOSE+3:
-+ case CLOSE+4:
-+ case CLOSE+5:
-+ case CLOSE+6:
-+ case CLOSE+7:
-+ case CLOSE+8:
-+ case CLOSE+9:
-+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE);
-+ p = NULL;
-+ break;
-+ case STAR:
-+ p = "STAR";
-+ break;
-+ case PLUS:
-+ p = "PLUS";
-+ break;
-+ default:
-+ printk("<3>Regexp: corrupted opcode\n");
-+ break;
-+ }
-+ if (p != NULL)
-+ strncat(buf, p, BUFLEN-strlen(buf));
-+ return(buf);
-+}
-+#endif
-+
-+
-Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 00:37:55.700427500 +0200
-@@ -0,0 +1,41 @@
-+/*
-+ * Definitions etc. for regexp(3) routines.
-+ *
-+ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof],
-+ * not the System V one.
-+ */
-+
-+#ifndef REGEXP_H
-+#define REGEXP_H
-+
-+
-+/*
-+http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h ,
-+which contains a version of this library, says:
-+
-+ *
-+ * NSUBEXP must be at least 10, and no greater than 117 or the parser
-+ * will not work properly.
-+ *
-+
-+However, it looks rather like this library is limited to 10. If you think
-+otherwise, let us know.
-+*/
-+
-+#define NSUBEXP 10
-+typedef struct regexp {
-+ char *startp[NSUBEXP];
-+ char *endp[NSUBEXP];
-+ char regstart; /* Internal use only. */
-+ char reganch; /* Internal use only. */
-+ char *regmust; /* Internal use only. */
-+ int regmlen; /* Internal use only. */
-+ char program[1]; /* Unwarranted chumminess with compiler. */
-+} regexp;
-+
-+regexp * regcomp(char *exp, int *patternsize);
-+int regexec(regexp *prog, char *string);
-+void regsub(regexp *prog, char *source, char *dest);
-+void regerror(char *s);
-+
-+#endif
-Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 00:37:55.724429000 +0200
-@@ -0,0 +1,5 @@
-+/*
-+ * The first byte of the regexp internal "program" is actually this magic
-+ * number; the start node begins in the second byte.
-+ */
-+#define MAGIC 0234
-Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 00:37:55.752430750 +0200
-@@ -0,0 +1,95 @@
-+/*
-+ * regsub
-+ * @(#)regsub.c 1.3 of 2 April 86
-+ *
-+ * Copyright (c) 1986 by University of Toronto.
-+ * Written by Henry Spencer. Not derived from licensed software.
-+ *
-+ * Permission is granted to anyone to use this software for any
-+ * purpose on any computer system, and to redistribute it freely,
-+ * subject to the following restrictions:
-+ *
-+ * 1. The author is not responsible for the consequences of use of
-+ * this software, no matter how awful, even if they arise
-+ * from defects in it.
-+ *
-+ * 2. The origin of this software must not be misrepresented, either
-+ * by explicit claim or by omission.
-+ *
-+ * 3. Altered versions must be plainly marked as such, and must not
-+ * be misrepresented as being the original software.
-+ *
-+ *
-+ * This code was modified by Ethan Sommer to work within the kernel
-+ * (it now uses kmalloc etc..)
-+ *
-+ */
-+#include "regexp.h"
-+#include "regmagic.h"
-+#include <linux/string.h>
-+
-+
-+#ifndef CHARBITS
-+#define UCHARAT(p) ((int)*(unsigned char *)(p))
-+#else
-+#define UCHARAT(p) ((int)*(p)&CHARBITS)
-+#endif
-+
-+#if 0
-+//void regerror(char * s)
-+//{
-+// printk("regexp(3): %s", s);
-+// /* NOTREACHED */
-+//}
-+#endif
-+
-+/*
-+ - regsub - perform substitutions after a regexp match
-+ */
-+void
-+regsub(regexp * prog, char * source, char * dest)
-+{
-+ register char *src;
-+ register char *dst;
-+ register char c;
-+ register int no;
-+ register int len;
-+
-+ /* Not necessary and gcc doesn't like it -MLS */
-+ /*extern char *strncpy();*/
-+
-+ if (prog == NULL || source == NULL || dest == NULL) {
-+ regerror("NULL parm to regsub");
-+ return;
-+ }
-+ if (UCHARAT(prog->program) != MAGIC) {
-+ regerror("damaged regexp fed to regsub");
-+ return;
-+ }
-+
-+ src = source;
-+ dst = dest;
-+ while ((c = *src++) != '\0') {
-+ if (c == '&')
-+ no = 0;
-+ else if (c == '\\' && '0' <= *src && *src <= '9')
-+ no = *src++ - '0';
-+ else
-+ no = -1;
-+
-+ if (no < 0) { /* Ordinary character. */
-+ if (c == '\\' && (*src == '\\' || *src == '&'))
-+ c = *src++;
-+ *dst++ = c;
-+ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) {
-+ len = prog->endp[no] - prog->startp[no];
-+ (void) strncpy(dst, prog->startp[no], len);
-+ dst += len;
-+ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */
-+ regerror("damaged match string");
-+ return;
-+ }
-+ }
-+ }
-+ *dst++ = '\0';
-+}
-Index: linux-2.6.21.5/include/net/netfilter/nf_conntrack.h
-===================================================================
---- linux-2.6.21.5.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 00:49:22.815369500 +0200
-+++ linux-2.6.21.5/include/net/netfilter/nf_conntrack.h 2007-07-02 00:56:21.413530250 +0200
-@@ -128,6 +128,21 @@
- u_int32_t secmark;
- #endif
-
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ struct {
-+ /*
-+ * e.g. "http". NULL before decision. "unknown" after decision
-+ * if no match.
-+ */
-+ char *app_proto;
-+ /*
-+ * application layer data so far. NULL after match decision.
-+ */
-+ char *app_data;
-+ unsigned int app_data_len;
-+ } layer7;
-+#endif
-+
- /* Storage reserved for other modules: */
- union nf_conntrack_proto proto;
-
-Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.21.7/include/linux/netfilter/xt_layer7.h
===================================================================
---- linux-2.6.21.5.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200
-+++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 01:36:08.914739750 +0200
-@@ -21,6 +21,7 @@
+--- linux-2.6.21.7.orig/include/linux/netfilter/xt_layer7.h
++++ linux-2.6.21.7/include/linux/netfilter/xt_layer7.h
+@@ -8,6 +8,7 @@ struct xt_layer7_info {
char protocol[MAX_PROTOCOL_LEN];
- char invert:1;
char pattern[MAX_PATTERN_LEN];
-+ char pkt;
+ u_int8_t invert;
++ u_int8_t pkt;
};
- #endif /* _IPT_LAYER7_H */
-Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ #endif /* _XT_LAYER7_H */
+Index: linux-2.6.21.7/net/netfilter/xt_layer7.c
===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:37:01.990056750 +0200
-@@ -299,33 +299,34 @@
- }
+--- linux-2.6.21.7.orig/net/netfilter/xt_layer7.c
++++ linux-2.6.21.7/net/netfilter/xt_layer7.c
+@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
}
--/* add the new app data to the conntrack. Return number of bytes added. */
--static int add_data(struct ip_conntrack * master_conntrack,
-- char * app_data, int appdatalen)
+ /* add the new app data to the conntrack. Return number of bytes added. */
+-static int add_data(struct nf_conn * master_conntrack,
+- char * app_data, int appdatalen)
+static int add_datastr(char *target, int offset, char *app_data, int len)
{
int length = 0, i;
- int oldlength = master_conntrack->layer7.app_data_len;
-
-- // This is a fix for a race condition by Deti Fliegl. However, I'm not
-- // clear on whether the race condition exists or whether this really
-- // fixes it. I might just be being dense... Anyway, if it's not really
-- // a fix, all it does is waste a very small amount of time.
+- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
+- clear on whether the race condition exists or whether this really
+- fixes it. I might just be being dense... Anyway, if it's not really
+- a fix, all it does is waste a very small amount of time. */
- if(!master_conntrack->layer7.app_data) return 0;
-+ if(!target) return 0;
++
++ if (!target) return 0;
/* Strip nulls. Make everything lower case (our regex lib doesn't
do case insensitivity). Add it to the end of the current data. */
- i < appdatalen; i++) {
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
if(app_data[i] != '\0') {
+ /* the kernel version of tolower mungs 'upper ascii' */
- master_conntrack->layer7.app_data[length+oldlength] =
+ target[length+offset] =
- /* the kernel version of tolower mungs 'upper ascii' */
- isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
+ isascii(app_data[i])?
+ tolower(app_data[i]) : app_data[i];
length++;
}
}
+ target[length+offset] = '\0';
++
++ return length;
++}
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
- master_conntrack->layer7.app_data_len = length + oldlength;
-+ return length;
-+}
-+
+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
-+ char * app_data, int appdatalen)
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
+{
+ int length;
-+
+
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ master_conntrack->layer7.app_data_len += length;
-
return length;
}
-@@ -343,7 +344,7 @@
+
+@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
+ const struct xt_layer7_info * info = matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo;
- struct nf_conn *master_conntrack;
- struct ip_conntrack *conntrack;
+ struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data;
+ unsigned char *app_data, *tmp_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
-@@ -365,8 +366,8 @@
+@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
- if(TOTAL_PACKETS > num_packets ||
- master_conntrack->layer7.app_proto) {
+ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
-+ master_conntrack->layer7.app_proto)) {
-
- pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
++ master_conntrack->layer7.app_proto)) {
-@@ -396,6 +397,23 @@
+ pattern_result = match_no_append(conntrack, master_conntrack,
+ ctinfo, master_ctinfo, info);
+@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+ /* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);
- spin_unlock_bh(&list_lock);
+ if (info->pkt) {
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++
+ kfree(tmp_data);
+ tmp_data = NULL;
++ spin_unlock_bh(&l7_lock);
+
+ return (pattern_result ^ info->invert);
+ }
+
/* On the first packet of a connection, allocate space for app data */
- write_lock(&ct_lock);
- if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ !master_conntrack->layer7.app_data){
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-05-26 20:21:54.586864296 +0200
+Index: linux-2.6.21.7/include/linux/netfilter_ipv4/ipt_ipp2p.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter_ipv4/ipt_ipp2p.h
@@ -0,0 +1,31 @@
+#ifndef __IPT_IPP2P_H
+#define __IPT_IPP2P_H
+#define IPP2P_MUTE (1 << 14)
+#define IPP2P_WASTE (1 << 15)
+#define IPP2P_XDCC (1 << 16)
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c 2007-05-26 20:21:54.587864144 +0200
+Index: linux-2.6.21.7/net/ipv4/netfilter/ipt_ipp2p.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/ipv4/netfilter/ipt_ipp2p.c
@@ -0,0 +1,882 @@
+#if defined(MODVERSIONS)
+#include <linux/modversions.h>
+{
+ const struct ipt_p2p_info *info = matchinfo;
+ unsigned char *haystack;
-+ struct iphdr *ip = skb->nh.iph;
++ struct iphdr *ip = ip_hdr(skb);
+ int p2p_result = 0, i = 0;
+// int head_len;
+ int hlen = ntohs(ip->tot_len)-(ip->ihl*4); /*hlen = packet-data length*/
+module_exit(fini);
+
+
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-05-26 20:17:47.626407992 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:21:54.587864144 +0200
-@@ -263,6 +263,12 @@
- help
- Say Y to get lots of debugging output.
+Index: linux-2.6.21.7/net/ipv4/netfilter/Kconfig
+===================================================================
+--- linux-2.6.21.7.orig/net/ipv4/netfilter/Kconfig
++++ linux-2.6.21.7/net/ipv4/netfilter/Kconfig
+@@ -245,6 +245,12 @@ config IP_NF_MATCH_IPRANGE
+
+ To compile it as a module, choose M here. If unsure, say N.
+config IP_NF_MATCH_IPP2P
+ tristate "IPP2P"
config IP_NF_MATCH_TOS
tristate "TOS match support"
depends on IP_NF_IPTABLES
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile
---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-05-26 20:17:47.638406168 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:21:54.588863992 +0200
-@@ -91,7 +91,7 @@
+Index: linux-2.6.21.7/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.6.21.7.orig/net/ipv4/netfilter/Makefile
++++ linux-2.6.21.7/net/ipv4/netfilter/Makefile
+@@ -91,6 +91,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
--
+obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o
- obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
# targets
+ obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
+++ /dev/null
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h
---- linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h 2007-05-26 20:40:10.922195992 +0200
-@@ -0,0 +1,5 @@
-+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-+# include <linux/netfilter_ipv4/ip_conntrack.h>
-+#else /* linux-2.6.20+ */
-+# include <net/netfilter/nf_nat_rule.h>
-+#endif
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h
---- linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,14 @@
-+/* Out of tree workarounds */
-+#include <linux/version.h>
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-+# define HAVE_MATCHINFOSIZE 1
-+# define HAVE_TARGUSERINFO 1
-+# define HAVE_TARGINFOSIZE 1
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-+# define nfmark mark
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
-+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
-+ tcp_v4_check((tcph_sz), (s), (d), (csp))
-+#endif
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h
---- linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,14 @@
-+#ifndef _LINUX_XT_CHAOS_H
-+#define _LINUX_XT_CHAOS_H 1
-+
-+enum xt_chaos_variant {
-+ XTCHAOS_NORMAL,
-+ XTCHAOS_TARPIT,
-+ XTCHAOS_DELUDE,
-+};
-+
-+struct xt_chaos_info {
-+ enum xt_chaos_variant variant;
-+};
-+
-+#endif /* _LINUX_XT_CHAOS_H */
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h
---- linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,8 @@
-+#ifndef _LINUX_XT_PORTSCAN_H
-+#define _LINUX_XT_PORTSCAN_H 1
-+
-+struct xt_portscan_info {
-+ unsigned int match_stealth, match_syn, match_cn, match_gr;
-+};
-+
-+#endif /* _LINUX_XT_PORTSCAN_H */
-diff -urN linux-2.6.21.1.old/net/netfilter/find_match.c linux-2.6.21.1.dev/net/netfilter/find_match.c
---- linux-2.6.21.1.old/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/find_match.c 2007-05-26 20:40:10.970188696 +0200
-@@ -0,0 +1,39 @@
-+/*
-+ xt_request_find_match
-+ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+
-+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
-+ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/err.h>
-+#include <linux/netfilter_arp.h>
-+#include <linux/socket.h>
-+#include <linux/netfilter/x_tables.h>
-+
-+/*
-+ * Yeah this code is sub-optimal, but the function is missing in
-+ * mainline so far. -jengelh
-+ */
-+static struct xt_match *xt_request_find_match_lo(int af, const char *name,
-+ u8 revision)
-+{
-+ static const char *const xt_prefix[] = {
-+ [AF_INET] = "ip",
-+ [AF_INET6] = "ip6",
-+ [NF_ARP] = "arp",
-+ };
-+ struct xt_match *match;
-+
-+ match = try_then_request_module(xt_find_match(af, name, revision),
-+ "%st_%s", xt_prefix[af], name);
-+ if(IS_ERR(match) || match == NULL)
-+ return NULL;
-+
-+ return match;
-+}
-+
-+/* In case it goes into mainline, let this out-of-tree package compile */
-+#define xt_request_find_match xt_request_find_match_lo
-diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfilter/Kconfig
---- linux-2.6.21.1.old/net/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/Kconfig 2007-05-26 20:40:11.003183680 +0200
-@@ -287,6 +287,14 @@
-
- # alphabetically ordered list of targets
-
-+config NETFILTER_XT_TARGET_CHAOS
-+ tristate '"CHAOS" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `CHAOS' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_CLASSIFY
- tristate '"CLASSIFY" target support'
- depends on NETFILTER_XTABLES
-@@ -315,6 +323,14 @@
- <file:Documentation/modules.txt>. The module will be called
- ipt_CONNMARK.o. If unsure, say `N'.
-
-+config NETFILTER_XT_TARGET_DELUDE
-+ tristate '"DELUDE" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `DELUDE' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_DSCP
- tristate '"DSCP" target support'
- depends on NETFILTER_XTABLES
-@@ -563,6 +579,14 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config NETFILTER_XT_MATCH_PORTSCAN
-+ tristate '"portscan" match support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a 'portscan' match support.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_MATCH_MULTIPORT
- tristate "Multiple port match support"
- depends on NETFILTER_XTABLES
-diff -urN linux-2.6.21.1.old/net/netfilter/Makefile linux-2.6.21.1.dev/net/netfilter/Makefile
---- linux-2.6.21.1.old/net/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/Makefile 2007-05-26 20:40:11.003183680 +0200
-@@ -37,8 +37,10 @@
- obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
-
- # targets
-+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
-+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
-@@ -63,6 +65,7 @@
- obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
-+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c
---- linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,204 @@
-+/*
-+ CHAOS target for netfilter
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/icmp.h>
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter_ipv4/ipt_REJECT.h>
-+#include <net/ip.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+#include "find_match.c"
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+/* Module parameters */
-+static unsigned int reject_percentage = ~0U * .01;
-+static unsigned int delude_percentage = ~0U * .0101;
-+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
-+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
-+
-+/* References to other matches/targets */
-+static struct xt_match *xm_tcp;
-+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
-+
-+static int have_delude, have_tarpit;
-+
-+/* Static data for other matches/targets */
-+static const struct ipt_reject_info reject_params = {
-+ .with = ICMP_HOST_UNREACH,
-+};
-+
-+static const struct xt_tcp tcp_params = {
-+ .spts = {0, ~0},
-+ .dpts = {0, ~0},
-+};
-+
-+/* CHAOS functions */
-+static void xt_chaos_total(const struct xt_chaos_info *info,
-+ struct sk_buff **pskb, const struct net_device *in,
-+ const struct net_device *out, unsigned int hooknum)
-+{
-+ const int protoff = 4 * (*pskb)->nh.iph->ihl;
-+ const int offset = ntohs((*pskb)->nh.iph->frag_off) & IP_OFFSET;
-+ const struct xt_target *destiny;
-+ int hotdrop = 0, ret;
-+
-+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
-+ offset, protoff, &hotdrop);
-+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
-+ return;
-+
-+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-+#ifdef HAVE_TARGUSERINFO
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
-+#else
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL);
-+#endif
-+ return;
-+}
-+
-+static unsigned int xt_chaos_target(struct sk_buff **pskb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* Equivalent to:
-+ * -A chaos -m statistic --mode random --probability \
-+ * $reject_percentage -j REJECT --reject-with host-unreach;
-+ * -A chaos -p tcp -m statistic --mode random --probability \
-+ * $delude_percentage -j DELUDE;
-+ * -A chaos -j DROP;
-+ */
-+ const struct xt_chaos_info *info = targinfo;
-+
-+ if((unsigned int)net_random() <= reject_percentage)
-+#ifdef HAVE_TARGUSERINFO
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params, userinfo);
-+#else
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params);
-+#endif
-+
-+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
-+ if((*pskb)->nh.iph->protocol == IPPROTO_TCP &&
-+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
-+ xt_chaos_total(info, pskb, in, out, hooknum);
-+
-+ return NF_DROP;
-+}
-+
-+static int xt_chaos_checkentry(const char *tablename, const void *entry,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_chaos_info *info = targinfo;
-+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
-+ "DELUDE module not available\n");
-+ return 0;
-+ }
-+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
-+ "TARPIT module not available\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_target xt_chaos_info = {
-+ .name = "CHAOS",
-+ .target = xt_chaos_target,
-+ .checkentry = xt_chaos_checkentry,
-+ .table = "filter",
-+ .targetsize = sizeof(struct xt_chaos_info),
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_chaos_init(void)
-+{
-+ int ret = -EINVAL;
-+
-+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
-+ if(xm_tcp == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"tcp\" match\n");
-+ return -EINVAL;
-+ }
-+
-+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
-+ if(xt_reject == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"REJECT\" target\n");
-+ goto out2;
-+ }
-+
-+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
-+ have_tarpit = xt_tarpit != NULL;
-+ if(!have_tarpit)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"TARPIT\" target\n");
-+
-+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
-+ have_delude = xt_delude != NULL;
-+ if(!have_delude)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"DELUDE\" target\n");
-+
-+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
-+ printk(KERN_WARNING PFX "xt_register_target returned "
-+ "error %d\n", ret);
-+ goto out3;
-+ }
-+
-+ return 0;
-+
-+ out3:
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ module_put(xt_reject->me);
-+ out2:
-+ module_put(xm_tcp->me);
-+ return ret;
-+}
-+
-+static void __exit xt_chaos_exit(void)
-+{
-+ xt_unregister_target(&xt_chaos_info);
-+ module_put(xm_tcp->me);
-+ module_put(xt_reject->me);
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ return;
-+}
-+
-+module_init(xt_chaos_init);
-+module_exit(xt_chaos_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter CHAOS target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_CHAOS");
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c
---- linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,288 @@
-+/*
-+ DELUDE target
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
-+
-+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+ (C) 1999-2001 Paul `Rusty' Russell
-+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
-+
-+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/ip.h>
-+#include <linux/random.h>
-+#include <linux/tcp.h>
-+#include <linux/udp.h>
-+#include <linux/icmp.h>
-+#include <net/icmp.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/route.h>
-+#include <net/dst.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+# include <linux/netfilter_bridge.h>
-+#endif
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+static inline struct rtable *route_reverse(struct sk_buff *skb,
-+ struct tcphdr *tcph, int hook)
-+{
-+ struct iphdr *iph = skb->nh.iph;
-+ struct dst_entry *odst;
-+ struct flowi fl = {};
-+ struct rtable *rt;
-+
-+ /* We don't require ip forwarding to be enabled to be able to
-+ * send a RST reply for bridged traffic. */
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ ) {
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ if (hook == NF_IP_LOCAL_IN)
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+ } else {
-+ /* non-local src, find valid iif to satisfy
-+ * rp-filter when calling ip_route_input. */
-+ fl.nl_u.ip4_u.daddr = iph->daddr;
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+
-+ odst = skb->dst;
-+ if (ip_route_input(skb, iph->saddr, iph->daddr,
-+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+ dst_release(&rt->u.dst);
-+ rt = (struct rtable *)skb->dst;
-+ skb->dst = odst;
-+
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+ }
-+
-+ if (rt->u.dst.error) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+
-+ fl.proto = IPPROTO_TCP;
-+ fl.fl_ip_sport = tcph->dest;
-+ fl.fl_ip_dport = tcph->source;
-+
-+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-+
-+ return rt;
-+}
-+
-+static void send_reset(struct sk_buff *oldskb, int hook)
-+{
-+ struct sk_buff *nskb;
-+ struct iphdr *iph = oldskb->nh.iph;
-+ struct tcphdr _otcph, *oth, *tcph;
-+ __be16 tmp_port;
-+ __be32 tmp_addr;
-+ int needs_ack;
-+ unsigned int addr_type;
-+
-+ /* IP header checks: fragment. */
-+ if (oldskb->nh.iph->frag_off & htons(IP_OFFSET))
-+ return;
-+
-+ oth = skb_header_pointer(oldskb, oldskb->nh.iph->ihl * 4,
-+ sizeof(_otcph), &_otcph);
-+ if (oth == NULL)
-+ return;
-+
-+ /* No RST for RST. */
-+ if (oth->rst)
-+ return;
-+
-+ /* Check checksum */
-+ if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
-+ return;
-+
-+ /* We need a linear, writeable skb. We also need to expand
-+ headroom in case hh_len of incoming interface < hh_len of
-+ outgoing interface */
-+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
-+ GFP_ATOMIC);
-+ if (!nskb)
-+ return;
-+
-+ /* This packet will not be the same as the other: clear nf fields */
-+ nf_reset(nskb);
-+ nskb->nfmark = 0;
-+ skb_init_secmark(nskb);
-+
-+ skb_shinfo(nskb)->gso_size = 0;
-+ skb_shinfo(nskb)->gso_segs = 0;
-+ skb_shinfo(nskb)->gso_type = 0;
-+
-+ tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
-+
-+ /* Swap source and dest */
-+ tmp_addr = nskb->nh.iph->saddr;
-+ nskb->nh.iph->saddr = nskb->nh.iph->daddr;
-+ nskb->nh.iph->daddr = tmp_addr;
-+ tmp_port = tcph->source;
-+ tcph->source = tcph->dest;
-+ tcph->dest = tmp_port;
-+
-+ /* Truncate to length (no data) */
-+ tcph->doff = sizeof(struct tcphdr)/4;
-+ skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
-+ nskb->nh.iph->tot_len = htons(nskb->len);
-+
-+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
-+ /* DELUDE essential part */
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
-+ oldskb->len - oldskb->nh.iph->ihl * 4 -
-+ (oth->doff << 2));
-+ tcph->seq = htonl(secure_tcp_sequence_number(
-+ nskb->nh.iph->saddr, nskb->nh.iph->daddr,
-+ tcph->source, tcph->dest));
-+ tcph->ack = 1;
-+ } else {
-+ if(!tcph->ack) {
-+ needs_ack = 1;
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
-+ + oldskb->len - oldskb->nh.iph->ihl*4
-+ - (oth->doff<<2));
-+ tcph->seq = 0;
-+ } else {
-+ needs_ack = 0;
-+ tcph->seq = oth->ack_seq;
-+ tcph->ack_seq = 0;
-+ }
-+
-+ /* Reset flags */
-+ ((u_int8_t *)tcph)[13] = 0;
-+ tcph->rst = 1;
-+ tcph->ack = needs_ack;
-+ }
-+
-+
-+ tcph->window = 0;
-+ tcph->urg_ptr = 0;
-+
-+ /* Adjust TCP checksum */
-+ tcph->check = 0;
-+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-+ nskb->nh.iph->saddr,
-+ nskb->nh.iph->daddr,
-+ csum_partial((char *)tcph,
-+ sizeof(struct tcphdr), 0));
-+
-+ /* Set DF, id = 0 */
-+ nskb->nh.iph->frag_off = htons(IP_DF);
-+ nskb->nh.iph->id = 0;
-+
-+ addr_type = RTN_UNSPEC;
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ )
-+ addr_type = RTN_LOCAL;
-+
-+ if (ip_route_me_harder(&nskb, addr_type))
-+ goto free_nskb;
-+
-+ nskb->ip_summed = CHECKSUM_NONE;
-+
-+ /* Adjust IP TTL */
-+ nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
-+
-+ /* Adjust IP checksum */
-+ nskb->nh.iph->check = 0;
-+ nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
-+ nskb->nh.iph->ihl);
-+
-+ /* "Never happens" */
-+ if (nskb->len > dst_mtu(nskb->dst))
-+ goto free_nskb;
-+
-+ nf_ct_attach(nskb, oldskb);
-+
-+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
-+ dst_output);
-+ return;
-+
-+ free_nskb:
-+ kfree_skb(nskb);
-+}
-+
-+static unsigned int xt_delude_target(struct sk_buff **pskb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* WARNING: This code causes reentry within iptables.
-+ This means that the iptables jump stack is now crap. We
-+ must return an absolute verdict. --RR */
-+ send_reset(*pskb, hooknum);
-+ return NF_DROP;
-+}
-+
-+static int xt_delude_check(const char *tablename, const void *e_void,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
-+ printk(KERN_WARNING PFX "DELUDE may not be used in chains "
-+ "other than INPUT and FORWARD\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_target xt_delude_info = {
-+ .name = "DELUDE",
-+ .target = xt_delude_target,
-+ .checkentry = xt_delude_check,
-+ .table = "filter",
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_delude_init(void)
-+{
-+ return xt_register_target(&xt_delude_info);
-+}
-+
-+static void __exit xt_delude_exit(void)
-+{
-+ xt_unregister_target(&xt_delude_info);
-+}
-+
-+module_init(xt_delude_init);
-+module_exit(xt_delude_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter DELUDE target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_DELUDE");
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/netfilter/xt_portscan.c
---- linux-2.6.21.1.old/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_portscan.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,272 @@
-+/*
-+ portscan match for netfilter
-+
-+ Written by Jan Engelhardt, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/moduleparam.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/tcp.h>
-+#include <linux/types.h>
-+#include <linux/version.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter/oot_conntrack.h>
-+#include <linux/netfilter/xt_portscan.h>
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+enum {
-+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
-+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
-+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
-+};
-+
-+/* Module parameters */
-+static unsigned int
-+ connmark_mask = ~0,
-+ packet_mask = ~0,
-+ mark_seen = 0x9,
-+ mark_synrcv = 0x1,
-+ mark_closed = 0x2,
-+ mark_synscan = 0x3,
-+ mark_estab1 = 0x4,
-+ mark_estab2 = 0x5,
-+ mark_cnscan = 0x6,
-+ mark_grscan = 0x7,
-+ mark_valid = 0x8;
-+
-+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
-+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
-+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
-+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
-+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
-+MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
-+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
-+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
-+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
-+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
-+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
-+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
-+
-+/* TCP flag functions */
-+static inline int tflg_ack4(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_ack6(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_fin(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
-+}
-+
-+static inline int tflg_rst(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
-+}
-+
-+static inline int tflg_rstack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_ACK | TCP_FLAG_RST);
-+}
-+
-+static inline int tflg_syn(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
-+}
-+
-+static inline int tflg_synack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_SYN | TCP_FLAG_ACK);
-+}
-+
-+/* portscan functions */
-+static inline int xt_portscan_stealth(const struct tcphdr *th)
-+{
-+ /*
-+ * "Connection refused" replies to our own probes must not be matched.
-+ */
-+ if(tflg_rstack(th))
-+ return 0;
-+
-+ if(tflg_rst(th) && printk_ratelimit()) {
-+ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
-+ return 0;
-+ }
-+
-+ /*
-+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
-+ * packets that are not associated with any connection -- this will
-+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
-+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
-+ */
-+ return !tflg_syn(th);
-+}
-+
-+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
-+ int loopback, const struct tcphdr *tcph, int payload_len)
-+{
-+ if(mark == mark_estab2) {
-+ /*
-+ * -m connmark --mark $ESTAB2
-+ */
-+ if(tflg_ack4(tcph) && payload_len == 0)
-+ return mark; /* keep mark */
-+ else if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_grscan;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_estab1) {
-+ /*
-+ * -m connmark --mark $ESTAB1
-+ */
-+ if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_cnscan;
-+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
-+ return mark_estab2;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_synrcv) {
-+ /*
-+ * -m connmark --mark $SYN
-+ */
-+ if(loopback && tflg_synack(tcph))
-+ return mark; /* keep mark */
-+ else if(loopback && tflg_rstack(tcph))
-+ return mark_closed;
-+ else if(tflg_ack6(tcph))
-+ return mark_estab1;
-+ else
-+ return mark_synscan;
-+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
-+ /*
-+ * -p tcp --syn --ctstate NEW
-+ */
-+ return mark_synrcv;
-+ }
-+ return mark;
-+}
-+
-+static int xt_portscan_match(const struct sk_buff *skb,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo, int offset,
-+ unsigned int protoff, int *hotdrop)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+ enum ip_conntrack_info ctstate;
-+ struct ip_conntrack *ctdata;
-+ const struct tcphdr *tcph;
-+ struct tcphdr tcph_buf;
-+
-+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
-+ if(tcph == NULL)
-+ return 0;
-+
-+ /* Check for invalid packets: -m conntrack --ctstate INVALID */
-+ if((ctdata = ip_conntrack_get(skb, &ctstate)) == NULL) {
-+ if(info->match_stealth)
-+ return xt_portscan_stealth(tcph);
-+ /*
-+ * If @ctdata is NULL, we cannot match the other scan
-+ * types, return.
-+ */
-+ return 0;
-+ }
-+
-+ /*
-+ * If -m portscan was previously applied to this packet, the rules we
-+ * simulate must not be run through again. And for speedup, do not call
-+ * it either when the connection is already VALID.
-+ */
-+ if((ctdata->mark & connmark_mask) == mark_valid ||
-+ (skb->nfmark & packet_mask) != mark_seen)
-+ {
-+ unsigned int n;
-+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
-+ in == &loopback_dev, tcph,
-+ skb->len - protoff - 4 * tcph->doff);
-+
-+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-+ ((struct sk_buff *)skb)->nfmark =
-+ (skb->nfmark & ~packet_mask) | mark_seen;
-+ }
-+
-+ return (info->match_syn && ctdata->mark == mark_synscan) ||
-+ (info->match_cn && ctdata->mark == mark_cnscan) ||
-+ (info->match_gr && ctdata->mark == mark_grscan);
-+}
-+
-+static int xt_portscan_checkentry(const char *tablename, const void *entry,
-+ const struct xt_match *match, void *matchinfo,
-+#ifdef HAVE_MATCHINFOSIZE
-+ unsigned int matchinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+#ifdef HAVE_MATCHINFOSIZE
-+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
-+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
-+ matchinfosize,
-+ XT_ALIGN(sizeof(struct xt_portscan_info)));
-+ return 0;
-+ }
-+#endif
-+ if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-+ (info->match_cn & ~1) || (info->match_gr & ~1)) {
-+ printk(KERN_WARNING PFX "Invalid flags\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_match xt_portscan = {
-+ .name = "portscan",
-+ .match = xt_portscan_match,
-+ .checkentry = xt_portscan_checkentry,
-+ .matchsize = sizeof(struct xt_portscan_info),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_portscan_init(void)
-+{
-+ return xt_register_match(&xt_portscan);
-+}
-+
-+static void __exit xt_portscan_exit(void)
-+{
-+ xt_unregister_match(&xt_portscan);
-+ return;
-+}
-+
-+module_init(xt_portscan_init);
-+module_exit(xt_portscan_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter portscan match module");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_portscan");
--- /dev/null
+Index: linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h
+@@ -0,0 +1,5 @@
++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
++# include <linux/netfilter_ipv4/ip_conntrack.h>
++#else /* linux-2.6.20+ */
++# include <net/netfilter/nf_nat_rule.h>
++#endif
+Index: linux-2.6.21.7/include/linux/netfilter/oot_trans.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/oot_trans.h
+@@ -0,0 +1,14 @@
++/* Out of tree workarounds */
++#include <linux/version.h>
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
++# define HAVE_MATCHINFOSIZE 1
++# define HAVE_TARGUSERINFO 1
++# define HAVE_TARGINFOSIZE 1
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
++# define nfmark mark
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
++ tcp_v4_check((tcph_sz), (s), (d), (csp))
++#endif
+Index: linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h
+@@ -0,0 +1,14 @@
++#ifndef _LINUX_NETFILTER_XT_CHAOS_H
++#define _LINUX_NETFILTER_XT_CHAOS_H 1
++
++enum xt_chaos_target_variant {
++ XTCHAOS_NORMAL,
++ XTCHAOS_TARPIT,
++ XTCHAOS_DELUDE,
++};
++
++struct xt_chaos_target_info {
++ uint8_t variant;
++};
++
++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
+Index: linux-2.6.21.7/include/linux/netfilter/xt_portscan.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/xt_portscan.h
+@@ -0,0 +1,8 @@
++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
++
++struct xt_portscan_match_info {
++ uint8_t match_stealth, match_syn, match_cn, match_gr;
++};
++
++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
+Index: linux-2.6.21.7/net/netfilter/find_match.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/find_match.c
+@@ -0,0 +1,39 @@
++/*
++ xt_request_find_match
++ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++
++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
++ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License version 2 as
++ published by the Free Software Foundation.
++*/
++#include <linux/err.h>
++#include <linux/netfilter_arp.h>
++#include <linux/socket.h>
++#include <linux/netfilter/x_tables.h>
++
++/*
++ * Yeah this code is sub-optimal, but the function is missing in
++ * mainline so far. -jengelh
++ */
++static struct xt_match *xt_request_find_match_lo(int af, const char *name,
++ u8 revision)
++{
++ static const char *const xt_prefix[] = {
++ [AF_INET] = "ip",
++ [AF_INET6] = "ip6",
++ [NF_ARP] = "arp",
++ };
++ struct xt_match *match;
++
++ match = try_then_request_module(xt_find_match(af, name, revision),
++ "%st_%s", xt_prefix[af], name);
++ if (IS_ERR(match) || match == NULL)
++ return NULL;
++
++ return match;
++}
++
++/* In case it goes into mainline, let this out-of-tree package compile */
++#define xt_request_find_match xt_request_find_match_lo
+Index: linux-2.6.21.7/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Kconfig
++++ linux-2.6.21.7/net/netfilter/Kconfig
+@@ -287,6 +287,14 @@ config NETFILTER_XTABLES
+
+ # alphabetically ordered list of targets
+
++config NETFILTER_XT_TARGET_CHAOS
++ tristate '"CHAOS" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `CHAOS' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_CLASSIFY
+ tristate '"CLASSIFY" target support'
+ depends on NETFILTER_XTABLES
+@@ -315,6 +323,14 @@ config NETFILTER_XT_TARGET_CONNMARK
+ <file:Documentation/modules.txt>. The module will be called
+ ipt_CONNMARK.o. If unsure, say `N'.
+
++config NETFILTER_XT_TARGET_DELUDE
++ tristate '"DELUDE" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `DELUDE' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_DSCP
+ tristate '"DSCP" target support'
+ depends on NETFILTER_XTABLES
+@@ -563,6 +579,14 @@ config NETFILTER_XT_MATCH_POLICY
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_PORTSCAN
++ tristate '"portscan" match support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a 'portscan' match support.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_MATCH_MULTIPORT
+ tristate "Multiple port match support"
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.21.7/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Makefile
++++ linux-2.6.21.7/net/netfilter/Makefile
+@@ -47,6 +47,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
+
+ # matches
+ obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+@@ -74,3 +76,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING)
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
+Index: linux-2.6.21.7/net/netfilter/xt_CHAOS.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_CHAOS.c
+@@ -0,0 +1,200 @@
++/*
++ * CHAOS target for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/icmp.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <linux/netfilter_ipv4/ipt_REJECT.h>
++#include <net/ip.h>
++#if defined(_LOCAL)
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
++# include <linux/netfilter/xt_CHAOS.h>
++# include "find_match.c"
++#else
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++/* Module parameters */
++static unsigned int reject_percentage = ~0U * .01;
++static unsigned int delude_percentage = ~0U * .0101;
++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
++
++/* References to other matches/targets */
++static struct xt_match *xm_tcp;
++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
++
++static int have_delude, have_tarpit;
++
++/* Static data for other matches/targets */
++static const struct ipt_reject_info reject_params = {
++ .with = ICMP_HOST_UNREACH,
++};
++
++static const struct xt_tcp tcp_params = {
++ .spts = {0, ~0},
++ .dpts = {0, ~0},
++};
++
++/* CHAOS functions */
++static void xt_chaos_total(const struct xt_chaos_target_info *info,
++ struct sk_buff **pskb, const struct net_device *in,
++ const struct net_device *out, unsigned int hooknum)
++{
++ const struct iphdr *iph = ip_hdr(*pskb);
++ const int protoff = 4 * iph->ihl;
++ const int offset = ntohs(iph->frag_off) & IP_OFFSET;
++ const struct xt_target *destiny;
++ int hotdrop = 0, ret;
++
++ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
++ offset, protoff, &hotdrop);
++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
++ return;
++
++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
++ destiny->target(pskb, in, out, hooknum, destiny, NULL);
++ return;
++}
++
++static unsigned int chaos_tg(struct sk_buff **pskb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /*
++ * Equivalent to:
++ * -A chaos -m statistic --mode random --probability \
++ * $reject_percentage -j REJECT --reject-with host-unreach;
++ * -A chaos -p tcp -m statistic --mode random --probability \
++ * $delude_percentage -j DELUDE;
++ * -A chaos -j DROP;
++ */
++ const struct xt_chaos_target_info *info = targinfo;
++ const struct iphdr *iph = ip_hdr(*pskb);
++
++ if ((unsigned int)net_random() <= reject_percentage)
++ return xt_reject->target(pskb, in, out, hooknum, target,
++ &reject_params);
++
++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
++ if (iph->protocol == IPPROTO_TCP &&
++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
++ xt_chaos_total(info, pskb, in, out, hooknum);
++
++ return NF_DROP;
++}
++
++static int chaos_tg_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo, unsigned int hook_mask)
++{
++ const struct xt_chaos_target_info *info = targinfo;
++
++ if (info->variant == XTCHAOS_DELUDE && !have_delude) {
++ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
++ "DELUDE module not available\n");
++ return false;
++ }
++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
++ "TARPIT module not available\n");
++ return false;
++ }
++
++ return true;
++}
++
++static struct xt_target chaos_tg_reg = {
++ .name = "CHAOS",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
++ (1 << NF_IP_LOCAL_OUT),
++ .checkentry = chaos_tg_check,
++ .target = chaos_tg,
++ .targetsize = sizeof(struct xt_chaos_target_info),
++ .me = THIS_MODULE,
++};
++
++static int __init chaos_tg_init(void)
++{
++ int ret = -EINVAL;
++
++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
++ if (xm_tcp == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"tcp\" match\n");
++ return -EINVAL;
++ }
++
++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
++ if (xt_reject == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"REJECT\" target\n");
++ goto out2;
++ }
++
++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
++ have_tarpit = xt_tarpit != NULL;
++ if (!have_tarpit)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"TARPIT\" target\n");
++
++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
++ have_delude = xt_delude != NULL;
++ if (!have_delude)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"DELUDE\" target\n");
++
++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
++ printk(KERN_WARNING PFX "xt_register_target returned "
++ "error %d\n", ret);
++ goto out3;
++ }
++
++ return 0;
++
++ out3:
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ module_put(xt_reject->me);
++ out2:
++ module_put(xm_tcp->me);
++ return ret;
++}
++
++static void __exit chaos_tg_exit(void)
++{
++ xt_unregister_target(&chaos_tg_reg);
++ module_put(xm_tcp->me);
++ module_put(xt_reject->me);
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ return;
++}
++
++module_init(chaos_tg_init);
++module_exit(chaos_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_CHAOS");
+Index: linux-2.6.21.7/net/netfilter/xt_DELUDE.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_DELUDE.c
+@@ -0,0 +1,197 @@
++/*
++ * DELUDE target
++ * Copyright © CC Computer Consultants GmbH, 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++ * (C) 1999-2001 Paul `Rusty' Russell
++ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++ *
++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <linux/tcp.h>
++#include <linux/netfilter/x_tables.h>
++#ifdef CONFIG_BRIDGE_NETFILTER
++# include <linux/netfilter_bridge.h>
++#endif
++#include <net/tcp.h>
++#define PFX KBUILD_MODNAME ": "
++
++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
++{
++ struct tcphdr _otcph, *oth, *tcph;
++ unsigned int addr_type;
++ struct sk_buff *nskb;
++ u_int16_t tmp_port;
++ u_int32_t tmp_addr;
++ struct iphdr *niph;
++ bool needs_ack;
++
++ /* IP header checks: fragment. */
++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
++ return;
++
++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
++ sizeof(_otcph), &_otcph);
++ if (oth == NULL)
++ return;
++
++ /* No RST for RST. */
++ if (oth->rst)
++ return;
++
++ /* Check checksum */
++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
++ return;
++
++ /* We need a linear, writeable skb. We also need to expand
++ headroom in case hh_len of incoming interface < hh_len of
++ outgoing interface */
++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
++ GFP_ATOMIC);
++ if (!nskb)
++ return;
++
++ /* This packet will not be the same as the other: clear nf fields */
++ nf_reset(nskb);
++ nskb->mark = 0;
++ skb_init_secmark(nskb);
++
++ skb_shinfo(nskb)->gso_size = 0;
++ skb_shinfo(nskb)->gso_segs = 0;
++ skb_shinfo(nskb)->gso_type = 0;
++
++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
++
++ /* Swap source and dest */
++ niph = ip_hdr(nskb);
++ tmp_addr = niph->saddr;
++ niph->saddr = niph->daddr;
++ niph->daddr = tmp_addr;
++ tmp_port = tcph->source;
++ tcph->source = tcph->dest;
++ tcph->dest = tmp_port;
++
++ /* Truncate to length (no data) */
++ tcph->doff = sizeof(struct tcphdr) / 4;
++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
++ niph->tot_len = htons(nskb->len);
++
++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++ /* DELUDE essential part */
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
++ oldskb->len - ip_hdrlen(oldskb) -
++ (oth->doff << 2));
++ tcph->seq = false;
++ tcph->ack = true;
++ } else {
++ if (!tcph->ack) {
++ needs_ack = true;
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
++ oth->fin + oldskb->len -
++ ip_hdrlen(oldskb) - (oth->doff<<2));
++ tcph->seq = false;
++ } else {
++ needs_ack = false;
++ tcph->seq = oth->ack_seq;
++ tcph->ack_seq = false;
++ }
++
++ /* Reset flags */
++ ((u_int8_t *)tcph)[13] = 0;
++ tcph->rst = true;
++ tcph->ack = needs_ack;
++ }
++
++ tcph->window = 0;
++ tcph->urg_ptr = 0;
++
++ /* Adjust TCP checksum */
++ tcph->check = 0;
++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
++ niph->daddr, csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
++
++ /* Set DF, id = 0 */
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
++
++ addr_type = RTN_UNSPEC;
++#ifdef CONFIG_BRIDGE_NETFILTER
++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
++ nskb->nf_bridge->mask & BRNF_BRIDGED))
++#else
++ if (hook != NF_IP_FORWARD)
++#endif
++ addr_type = RTN_LOCAL;
++
++ if (ip_route_me_harder(&nskb, addr_type))
++ goto free_nskb;
++
++ nskb->ip_summed = CHECKSUM_NONE;
++
++ /* Adjust IP TTL */
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++
++ /* Adjust IP checksum */
++ niph->check = 0;
++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
++
++ /* "Never happens" */
++ if (nskb->len > dst_mtu(nskb->dst))
++ goto free_nskb;
++
++ nf_ct_attach(nskb, oldskb);
++
++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
++ dst_output);
++ return;
++
++ free_nskb:
++ kfree_skb(nskb);
++}
++
++static unsigned int delude_tg(struct sk_buff **pskb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /* WARNING: This code causes reentry within iptables.
++ This means that the iptables jump stack is now crap. We
++ must return an absolute verdict. --RR */
++ delude_send_reset(*pskb, hooknum);
++ return NF_DROP;
++}
++
++static struct xt_target delude_tg_reg = {
++ .name = "DELUDE",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
++ .target = delude_tg,
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init delude_tg_init(void)
++{
++ return xt_register_target(&delude_tg_reg);
++}
++
++static void __exit delude_tg_exit(void)
++{
++ xt_unregister_target(&delude_tg_reg);
++}
++
++module_init(delude_tg_init);
++module_exit(delude_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_DELUDE");
+Index: linux-2.6.21.7/net/netfilter/xt_portscan.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_portscan.c
+@@ -0,0 +1,269 @@
++/*
++ * portscan match for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/moduleparam.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/tcp.h>
++#include <linux/types.h>
++#include <linux/version.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <net/netfilter/nf_nat_rule.h>
++#if defined(_LOCAL)
++# include "xt_portscan.h"
++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
++# include <linux/netfilter/xt_portscan.h>
++#else
++# include "xt_portscan.h"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++enum {
++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
++};
++
++/* Module parameters */
++static unsigned int
++ connmark_mask = ~0,
++ packet_mask = ~0,
++ mark_seen = 0x9,
++ mark_synrcv = 0x1,
++ mark_closed = 0x2,
++ mark_synscan = 0x3,
++ mark_estab1 = 0x4,
++ mark_estab2 = 0x5,
++ mark_cnscan = 0x6,
++ mark_grscan = 0x7,
++ mark_valid = 0x8;
++
++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
++module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
++module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
++module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
++MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
++
++/* TCP flag functions */
++static inline bool tflg_ack4(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_ack6(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_fin(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
++}
++
++static inline bool tflg_rst(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
++}
++
++static inline bool tflg_rstack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_ACK | TCP_FLAG_RST);
++}
++
++static inline bool tflg_syn(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
++}
++
++static inline bool tflg_synack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_SYN | TCP_FLAG_ACK);
++}
++
++/* portscan functions */
++static inline bool portscan_mt_stealth(const struct tcphdr *th)
++{
++ /*
++ * "Connection refused" replies to our own probes must not be matched.
++ */
++ if (tflg_rstack(th))
++ return false;
++
++ if (tflg_rst(th) && printk_ratelimit()) {
++ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
++ return false;
++ }
++
++ /*
++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
++ * packets that are not associated with any connection -- this will
++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
++ */
++ return !tflg_syn(th);
++}
++
++static inline unsigned int portscan_mt_full(int mark,
++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
++ unsigned int payload_len)
++{
++ if (mark == mark_estab2) {
++ /*
++ * -m connmark --mark $ESTAB2
++ */
++ if (tflg_ack4(tcph) && payload_len == 0)
++ return mark; /* keep mark */
++ else if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_grscan;
++ else
++ return mark_valid;
++ } else if (mark == mark_estab1) {
++ /*
++ * -m connmark --mark $ESTAB1
++ */
++ if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_cnscan;
++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
++ return mark_estab2;
++ else
++ return mark_valid;
++ } else if (mark == mark_synrcv) {
++ /*
++ * -m connmark --mark $SYN
++ */
++ if (loopback && tflg_synack(tcph))
++ return mark; /* keep mark */
++ else if (loopback && tflg_rstack(tcph))
++ return mark_closed;
++ else if (tflg_ack6(tcph))
++ return mark_estab1;
++ else
++ return mark_synscan;
++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
++ /*
++ * -p tcp --syn --ctstate NEW
++ */
++ return mark_synrcv;
++ }
++ return mark;
++}
++
++static int portscan_mt(const struct sk_buff *skb,
++ const struct net_device *in, const struct net_device *out,
++ const struct xt_match *match, const void *matchinfo, int offset,
++ unsigned int protoff, int *hotdrop)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++ enum ip_conntrack_info ctstate;
++ const struct tcphdr *tcph;
++ struct nf_conn *ctdata;
++ struct tcphdr tcph_buf;
++
++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
++ if (tcph == NULL)
++ return false;
++
++ /* Check for invalid packets: -m conntrack --ctstate INVALID */
++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
++ if (info->match_stealth)
++ return portscan_mt_stealth(tcph);
++ /*
++ * If @ctdata is NULL, we cannot match the other scan
++ * types, return.
++ */
++ return false;
++ }
++
++ /*
++ * If -m portscan was previously applied to this packet, the rules we
++ * simulate must not be run through again. And for speedup, do not call
++ * it either when the connection is already VALID.
++ */
++ if ((ctdata->mark & connmark_mask) == mark_valid ||
++ (skb->mark & packet_mask) != mark_seen) {
++ unsigned int n;
++
++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
++ in == &loopback_dev, tcph,
++ skb->len - protoff - 4 * tcph->doff);
++
++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
++ ((struct sk_buff *)skb)->mark =
++ (skb->mark & ~packet_mask) ^ mark_seen;
++ }
++
++ return (info->match_syn && ctdata->mark == mark_synscan) ||
++ (info->match_cn && ctdata->mark == mark_cnscan) ||
++ (info->match_gr && ctdata->mark == mark_grscan);
++}
++
++static int portscan_mt_check(const char *tablename, const void *entry,
++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++
++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
++ (info->match_cn & ~1) || (info->match_gr & ~1)) {
++ printk(KERN_WARNING PFX "Invalid flags\n");
++ return false;
++ }
++ return true;
++}
++
++static struct xt_match portscan_mt_reg __read_mostly = {
++ .name = "portscan",
++ .family = AF_INET,
++ .match = portscan_mt,
++ .checkentry = portscan_mt_check,
++ .matchsize = sizeof(struct xt_portscan_match_info),
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init portscan_mt_init(void)
++{
++ return xt_register_match(&portscan_mt_reg);
++}
++
++static void __exit portscan_mt_exit(void)
++{
++ xt_unregister_match(&portscan_mt_reg);
++ return;
++}
++
++module_init(portscan_mt_init);
++module_exit(portscan_mt_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"portscan\" match");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_portscan");
--- /dev/null
+Index: linux-2.6.21.7/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Kconfig
++++ linux-2.6.21.7/net/netfilter/Kconfig
+@@ -414,6 +414,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_TARGET_TARPIT
++ tristate '"TARPIT" target support'
++ depends on NETFILTER_XTABLES
++ ---help---
++ Adds a TARPIT target to iptables, which captures and holds
++ incoming TCP connections using no local per-connection resources.
++ Connections are accepted, but immediately switched to the persist
++ state (0 byte window), in which the remote side stops sending data
++ and asks to continue every 60-240 seconds. Attempts to close the
++ connection are ignored, forcing the remote side to time out the
++ connection in 12-24 minutes.
++
++ This offers similar functionality to LaBrea
++ <http://www.hackbusters.net/LaBrea/>, but does not require dedicated
++ hardware or IPs. Any TCP port that you would normally DROP or REJECT
++ can instead become a tarpit.
++
+ config NETFILTER_XT_TARGET_TCPMSS
+ tristate '"TCPMSS" target support'
+ depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
+Index: linux-2.6.21.7/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Makefile
++++ linux-2.6.21.7/net/netfilter/Makefile
+@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE
+ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
+Index: linux-2.6.21.7/net/netfilter/xt_TARPIT.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_TARPIT.c
+@@ -0,0 +1,280 @@
++/*
++ * Kernel module to capture and hold incoming TCP connections using
++ * no local per-connection resources.
++ *
++ * Based on ipt_REJECT.c and offering functionality similar to
++ * LaBrea <http://www.hackbusters.net/LaBrea/>.
++ *
++ * Copyright (c) 2002 Aaron Hopkins <tools@die.net>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++ *
++ * Goal:
++ * - Allow incoming TCP connections to be established.
++ * - Passing data should result in the connection being switched to the
++ * persist state (0 byte window), in which the remote side stops sending
++ * data and asks to continue every 60 seconds.
++ * - Attempts to shut down the connection should be ignored completely, so
++ * the remote side ends up having to time it out.
++ *
++ * This means:
++ * - Reply to TCP SYN,!ACK,!RST,!FIN with SYN-ACK, window 5 bytes
++ * - Reply to TCP SYN,ACK,!RST,!FIN with RST to prevent spoofing
++ * - Reply to TCP !SYN,!RST,!FIN with ACK, window 0 bytes, rate-limited
++ */
++
++#include <linux/version.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <net/ip.h>
++#include <net/tcp.h>
++#include <net/icmp.h>
++struct in_device;
++#include <net/route.h>
++#include <linux/random.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++#if 0
++#define DEBUGP printk
++#else
++#define DEBUGP(format, args...)
++#endif
++
++/* Stolen from ip_finish_output2 */
++static int ip_direct_send(struct sk_buff *skb)
++{
++ struct dst_entry *dst = skb->dst;
++
++ if (dst->hh != NULL)
++ return neigh_hh_output(dst->hh, skb);
++ else if (dst->neighbour != NULL)
++ return dst->neighbour->output(skb);
++
++ if (net_ratelimit())
++ printk(KERN_DEBUG "TARPIT ip_direct_send: no header cache and no neighbor!\n");
++
++ kfree_skb(skb);
++ return -EINVAL;
++}
++
++
++/* Send reply */
++static void tarpit_tcp(const struct sk_buff *oskb, struct rtable *ort,
++ unsigned int local)
++{
++ struct sk_buff *nskb;
++ struct rtable *nrt;
++ struct tcphdr *otcph, *ntcph;
++ struct flowi fl = {};
++ unsigned int otcplen;
++ u_int16_t tmp;
++
++ const struct iphdr *oiph = ip_hdr(oskb);
++ struct iphdr *niph;
++
++ /* A truncated TCP header is not going to be useful */
++ if (oskb->len < ip_hdrlen(oskb) + sizeof(struct tcphdr))
++ return;
++
++ otcph = (void *)oiph + ip_hdrlen(oskb);
++ otcplen = oskb->len - ip_hdrlen(oskb);
++
++ /* No replies for RST or FIN */
++ if (otcph->rst || otcph->fin)
++ return;
++
++ /* No reply to !SYN,!ACK. Rate-limit replies to !SYN,ACKs */
++ if (!otcph->syn && (!otcph->ack || !xrlim_allow(&ort->u.dst, 1*HZ)))
++ return;
++
++ /* Check checksum. */
++ if (tcp_v4_check(otcplen, oiph->saddr, oiph->daddr,
++ csum_partial((char *)otcph, otcplen, 0)) != 0)
++ return;
++
++ /*
++ * Copy skb (even if skb is about to be dropped, we cannot just
++ * clone it because there may be other things, such as tcpdump,
++ * interested in it)
++ */
++ nskb = skb_copy(oskb, GFP_ATOMIC);
++ if (nskb == NULL)
++ return;
++
++ niph = ip_hdr(nskb);
++
++ /* This packet will not be the same as the other: clear nf fields */
++ nf_conntrack_put(nskb->nfct);
++ nskb->nfct = NULL;
++#ifdef CONFIG_NETFILTER_DEBUG
++ nskb->nf_debug = 0;
++#endif
++
++ ntcph = (void *)niph + ip_hdrlen(nskb);
++
++ /* Truncate to length (no data) */
++ ntcph->doff = sizeof(struct tcphdr)/4;
++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
++ niph->tot_len = htons(nskb->len);
++
++ /* Swap source and dest */
++ niph->daddr = xchg(&niph->saddr, niph->daddr);
++ tmp = ntcph->source;
++ ntcph->source = ntcph->dest;
++ ntcph->dest = tmp;
++
++ /* Use supplied sequence number or make a new one */
++ ntcph->seq = otcph->ack ? otcph->ack_seq
++ : htonl(secure_tcp_sequence_number(niph->saddr,
++ niph->daddr,
++ ntcph->source,
++ ntcph->dest));
++
++ /* Our SYN-ACKs must have a >0 window */
++ ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0;
++
++ ntcph->urg_ptr = 0;
++
++ /* Reset flags */
++ ((u_int8_t *)ntcph)[13] = 0;
++
++ if (otcph->syn && otcph->ack) {
++ ntcph->rst = 1;
++ ntcph->ack_seq = 0;
++ } else {
++ ntcph->syn = otcph->syn;
++ ntcph->ack = 1;
++ ntcph->ack_seq = htonl(ntohl(otcph->seq) + otcph->syn);
++ }
++
++ /* Adjust TCP checksum */
++ ntcph->check = 0;
++ ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
++ niph->saddr,
++ niph->daddr,
++ csum_partial((char *)ntcph,
++ sizeof(struct tcphdr), 0));
++
++ fl.nl_u.ip4_u.daddr = niph->daddr;
++ fl.nl_u.ip4_u.saddr = local ? niph->saddr : 0;
++ fl.nl_u.ip4_u.tos = RT_TOS(niph->tos) | RTO_CONN;
++ fl.oif = 0;
++
++ if (ip_route_output_key(&nrt, &fl))
++ goto free_nskb;
++
++ dst_release(nskb->dst);
++ nskb->dst = &nrt->u.dst;
++
++ /* Adjust IP TTL */
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++
++ /* Set DF, id = 0 */
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
++
++ /* Adjust IP checksum */
++ niph->check = 0;
++ niph->check = ip_fast_csum((unsigned char *)niph, niph->ihl);
++
++ /* "Never happens" */
++ if (nskb->len > dst_mtu(nskb->dst))
++ goto free_nskb;
++
++ ip_direct_send(nskb);
++ return;
++
++ free_nskb:
++ kfree_skb(nskb);
++}
++
++static unsigned int xt_tarpit_target(struct sk_buff **pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ unsigned int hooknum,
++ const struct xt_target *target,
++ const void *targinfo)
++{
++ const struct sk_buff *skb = *pskb;
++ const struct iphdr *iph = ip_hdr(skb);
++ struct rtable *rt = (void *)skb->dst;
++
++ /* Do we have an input route cache entry? */
++ if (rt == NULL)
++ return NF_DROP;
++
++ /* No replies to physical multicast/broadcast */
++ if (skb->pkt_type != PACKET_HOST && skb->pkt_type != PACKET_OTHERHOST)
++ return NF_DROP;
++
++ /* Now check at the protocol level */
++ if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
++ return NF_DROP;
++
++ /*
++ * Our naive response construction does not deal with IP
++ * options, and probably should not try.
++ */
++ if (iph->ihl * 4 != sizeof(struct iphdr))
++ return NF_DROP;
++
++ /* We are not interested in fragments */
++ if (iph->frag_off & htons(IP_OFFSET))
++ return NF_DROP;
++
++ tarpit_tcp(skb, rt, hooknum == NF_IP_LOCAL_IN);
++ return NF_DROP;
++}
++
++static int xt_tarpit_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo,
++ unsigned int hook_mask)
++{
++ bool invalid;
++
++ if (strcmp(tablename, "raw") == 0 && hook_mask == NF_IP_PRE_ROUTING)
++ return true;
++ if (strcmp(tablename, "filter") != 0)
++ return false;
++ invalid = hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD));
++ return !invalid;
++}
++
++static struct xt_target xt_tarpit_reg = {
++ .name = "TARPIT",
++ .family = AF_INET,
++ .proto = IPPROTO_TCP,
++ .target = xt_tarpit_target,
++ .checkentry = xt_tarpit_check,
++ .me = THIS_MODULE,
++};
++
++static int __init xt_tarpit_init(void)
++{
++ return xt_register_target(&xt_tarpit_reg);
++}
++
++static void __exit xt_tarpit_exit(void)
++{
++ xt_unregister_target(&xt_tarpit_reg);
++}
++
++module_init(xt_tarpit_init);
++module_exit(xt_tarpit_exit);
++MODULE_DESCRIPTION("netfilter xt_TARPIT target module");
++MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_TARPIT");
--- /dev/null
+Index: linux-2.6.21.7/include/linux/ip.h
+===================================================================
+--- linux-2.6.21.7.orig/include/linux/ip.h
++++ linux-2.6.21.7/include/linux/ip.h
+@@ -104,6 +104,16 @@ struct iphdr {
+ /*The options start here. */
+ };
+
++#ifdef __KERNEL__
++#include <linux/skbuff.h>
++
++static inline struct iphdr *ip_hdr(const struct sk_buff *skb)
++{
++ return (struct iphdr *)skb_network_header(skb);
++}
++
++#endif
++
+ struct ip_auth_hdr {
+ __u8 nexthdr;
+ __u8 hdrlen; /* This one is measured in 32 bit units! */
+Index: linux-2.6.21.7/include/linux/skbuff.h
+===================================================================
+--- linux-2.6.21.7.orig/include/linux/skbuff.h
++++ linux-2.6.21.7/include/linux/skbuff.h
+@@ -966,6 +966,16 @@ static inline void skb_reserve(struct sk
+ skb->tail += len;
+ }
+
++static inline unsigned char *skb_network_header(const struct sk_buff *skb)
++{
++ return skb->nh.raw;
++}
++
++static inline unsigned char *skb_tail_pointer(const struct sk_buff *skb)
++{
++ return skb->tail;
++}
++
+ /*
+ * CPUs often take a performance hit when accessing unaligned memory
+ * locations. The actual performance hit varies, it can be small if the
+Index: linux-2.6.21.7/include/net/ip.h
+===================================================================
+--- linux-2.6.21.7.orig/include/net/ip.h
++++ linux-2.6.21.7/include/net/ip.h
+@@ -43,6 +43,11 @@ struct inet_skb_parm
+ #define IPSKB_REROUTED 16
+ };
+
++static inline unsigned int ip_hdrlen(const struct sk_buff *skb)
++{
++ return ip_hdr(skb)->ihl * 4;
++}
++
+ struct ipcm_cookie
+ {
+ __be32 addr;
projects / openwrt.git / commitdiff