1 diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack.h
2 --- linux/include/linux/netfilter_ipv4/ip_conntrack.h 2003-08-12 07:43:11.000000000 -0400
3 +++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack.h 2004-05-09 04:13:03.000000000 -0400
6 #include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
7 #include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
8 -#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
10 /* per conntrack: protocol private data */
11 union ip_conntrack_proto {
12 /* insert conntrack proto private data here */
13 - struct ip_ct_gre gre;
15 struct ip_ct_icmp icmp;
18 union ip_conntrack_expect_proto {
19 /* insert expect proto private data here */
20 - struct ip_ct_gre_expect gre;
23 /* Add protocol helper include file here */
24 -#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
25 -#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
26 -#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
28 #include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
29 #include <linux/netfilter_ipv4/ip_conntrack_irc.h>
30 -#include <linux/netfilter_ipv4/ip_autofw.h>
32 /* per expectation: application helper private data */
33 union ip_conntrack_expect_help {
34 /* insert conntrack helper private data (expect) here */
35 - struct ip_ct_pptp_expect exp_pptp_info;
36 - struct ip_ct_mms_expect exp_mms_info;
37 - struct ip_ct_h225_expect exp_h225_info;
38 struct ip_ct_ftp_expect exp_ftp_info;
39 struct ip_ct_irc_expect exp_irc_info;
40 - struct ip_autofw_expect exp_autofw_info;
42 #ifdef CONFIG_IP_NF_NAT_NEEDED
45 /* per conntrack: application helper private data */
46 union ip_conntrack_help {
47 /* insert conntrack helper private data (master) here */
48 - struct ip_ct_pptp_master ct_pptp_info;
49 - struct ip_ct_mms_master ct_mms_info;
50 - struct ip_ct_h225_master ct_h225_info;
51 struct ip_ct_ftp_master ct_ftp_info;
52 struct ip_ct_irc_master ct_irc_info;
55 #ifdef CONFIG_IP_NF_NAT_NEEDED
56 #include <linux/netfilter_ipv4/ip_nat.h>
57 -#include <linux/netfilter_ipv4/ip_nat_pptp.h>
59 /* per conntrack: nat application helper private data */
60 union ip_conntrack_nat_help {
61 /* insert nat helper private data here */
62 - struct ip_nat_pptp nat_pptp_info;
69 extern unsigned int ip_conntrack_htable_size;
71 -/* connection tracking time out variables. */
72 -extern int sysctl_ip_conntrack_tcp_timeouts[10];
73 -extern int sysctl_ip_conntrack_udp_timeouts[2];
74 #endif /* __KERNEL__ */
75 #endif /* _IP_CONNTRACK_H */
76 diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_h323.h
77 --- linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2003-07-04 04:12:27.000000000 -0400
78 +++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_h323.h 1969-12-31 19:00:00.000000000 -0500
80 -#ifndef _IP_CONNTRACK_H323_H
81 -#define _IP_CONNTRACK_H323_H
82 -/* H.323 connection tracking. */
85 -/* Protects H.323 related data */
86 -DECLARE_LOCK_EXTERN(ip_h323_lock);
89 -/* Default H.225 port */
90 -#define H225_PORT 1720
92 -/* This structure is per expected connection */
93 -struct ip_ct_h225_expect {
94 - u_int16_t port; /* Port of the H.225 helper/RTCP/RTP channel */
95 - enum ip_conntrack_dir dir; /* Direction of the original connection */
96 - unsigned int offset; /* offset of the address in the payload */
99 -/* This structure exists only once per master */
100 -struct ip_ct_h225_master {
101 - int is_h225; /* H.225 or H.245 connection */
102 -#ifdef CONFIG_IP_NF_NAT_NEEDED
103 - enum ip_conntrack_dir dir; /* Direction of the original connection */
104 - u_int32_t seq[IP_CT_DIR_MAX]; /* Exceptional packet mangling for signal addressess... */
105 - unsigned int offset[IP_CT_DIR_MAX]; /* ...and the offset of the addresses in the payload */
109 -#endif /* _IP_CONNTRACK_H323_H */
110 diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_mms.h
111 --- linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h 2003-07-04 04:12:27.000000000 -0400
112 +++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_mms.h 1969-12-31 19:00:00.000000000 -0500
114 -#ifndef _IP_CONNTRACK_MMS_H
115 -#define _IP_CONNTRACK_MMS_H
119 -#include <linux/netfilter_ipv4/lockhelp.h>
121 -DECLARE_LOCK_EXTERN(ip_mms_lock);
123 -#define MMS_PORT 1755
124 -#define MMS_SRV_MSG_ID 196610
126 -#define MMS_SRV_MSG_OFFSET 36
127 -#define MMS_SRV_UNICODE_STRING_OFFSET 60
128 -#define MMS_SRV_CHUNKLENLV_OFFSET 16
129 -#define MMS_SRV_CHUNKLENLM_OFFSET 32
130 -#define MMS_SRV_MESSAGELENGTH_OFFSET 8
133 -/* This structure is per expected connection */
134 -struct ip_ct_mms_expect {
140 -/* This structure exists only once per master */
141 -struct ip_ct_mms_master {
144 -#endif /* _IP_CONNTRACK_MMS_H */
145 diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_pptp.h
146 --- linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2003-07-04 04:12:27.000000000 -0400
147 +++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 1969-12-31 19:00:00.000000000 -0500
149 -/* PPTP constants and structs */
150 -#ifndef _CONNTRACK_PPTP_H
151 -#define _CONNTRACK_PPTP_H
153 -/* state of the control session */
154 -enum pptp_ctrlsess_state {
155 - PPTP_SESSION_NONE, /* no session present */
156 - PPTP_SESSION_ERROR, /* some session error */
157 - PPTP_SESSION_STOPREQ, /* stop_sess request seen */
158 - PPTP_SESSION_REQUESTED, /* start_sess request seen */
159 - PPTP_SESSION_CONFIRMED, /* session established */
162 -/* state of the call inside the control session */
163 -enum pptp_ctrlcall_state {
167 - PPTP_CALL_OUT_CONF,
171 - PPTP_CALL_CLEAR_REQ,
175 -/* conntrack private data */
176 -struct ip_ct_pptp_master {
177 - enum pptp_ctrlsess_state sstate; /* session state */
179 - /* everything below is going to be per-expectation in newnat,
180 - * since there could be more than one call within one session */
181 - enum pptp_ctrlcall_state cstate; /* call state */
182 - u_int16_t pac_call_id; /* call id of PAC, host byte order */
183 - u_int16_t pns_call_id; /* call id of PNS, host byte order */
186 -/* conntrack_expect private member */
187 -struct ip_ct_pptp_expect {
188 - enum pptp_ctrlcall_state cstate; /* call state */
189 - u_int16_t pac_call_id; /* call id of PAC */
190 - u_int16_t pns_call_id; /* call id of PNS */
196 -#include <linux/netfilter_ipv4/lockhelp.h>
197 -DECLARE_LOCK_EXTERN(ip_pptp_lock);
199 -#define IP_CONNTR_PPTP PPTP_CONTROL_PORT
201 -union pptp_ctrl_union {
203 - struct PptpStartSessionRequest *sreq;
204 - struct PptpStartSessionReply *srep;
205 - struct PptpStopSessionReqest *streq;
206 - struct PptpStopSessionReply *strep;
207 - struct PptpOutCallRequest *ocreq;
208 - struct PptpOutCallReply *ocack;
209 - struct PptpInCallRequest *icreq;
210 - struct PptpInCallReply *icack;
211 - struct PptpInCallConnected *iccon;
212 - struct PptpClearCallRequest *clrreq;
213 - struct PptpCallDisconnectNotify *disc;
214 - struct PptpWanErrorNotify *wanerr;
215 - struct PptpSetLinkInfo *setlink;
220 -#define PPTP_CONTROL_PORT 1723
222 -#define PPTP_PACKET_CONTROL 1
223 -#define PPTP_PACKET_MGMT 2
225 -#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
227 -struct pptp_pkt_hdr {
228 - __u16 packetLength;
233 -/* PptpControlMessageType values */
234 -#define PPTP_START_SESSION_REQUEST 1
235 -#define PPTP_START_SESSION_REPLY 2
236 -#define PPTP_STOP_SESSION_REQUEST 3
237 -#define PPTP_STOP_SESSION_REPLY 4
238 -#define PPTP_ECHO_REQUEST 5
239 -#define PPTP_ECHO_REPLY 6
240 -#define PPTP_OUT_CALL_REQUEST 7
241 -#define PPTP_OUT_CALL_REPLY 8
242 -#define PPTP_IN_CALL_REQUEST 9
243 -#define PPTP_IN_CALL_REPLY 10
244 -#define PPTP_IN_CALL_CONNECT 11
245 -#define PPTP_CALL_CLEAR_REQUEST 12
246 -#define PPTP_CALL_DISCONNECT_NOTIFY 13
247 -#define PPTP_WAN_ERROR_NOTIFY 14
248 -#define PPTP_SET_LINK_INFO 15
250 -#define PPTP_MSG_MAX 15
252 -/* PptpGeneralError values */
253 -#define PPTP_ERROR_CODE_NONE 0
254 -#define PPTP_NOT_CONNECTED 1
255 -#define PPTP_BAD_FORMAT 2
256 -#define PPTP_BAD_VALUE 3
257 -#define PPTP_NO_RESOURCE 4
258 -#define PPTP_BAD_CALLID 5
259 -#define PPTP_REMOVE_DEVICE_ERROR 6
261 -struct PptpControlHeader {
266 -/* FramingCapability Bitmap Values */
267 -#define PPTP_FRAME_CAP_ASYNC 0x1
268 -#define PPTP_FRAME_CAP_SYNC 0x2
270 -/* BearerCapability Bitmap Values */
271 -#define PPTP_BEARER_CAP_ANALOG 0x1
272 -#define PPTP_BEARER_CAP_DIGITAL 0x2
274 -struct PptpStartSessionRequest {
275 - __u16 protocolVersion;
278 - __u32 framingCapability;
279 - __u32 bearerCapability;
281 - __u16 firmwareRevision;
283 - __u8 vendorString[64];
286 -/* PptpStartSessionResultCode Values */
287 -#define PPTP_START_OK 1
288 -#define PPTP_START_GENERAL_ERROR 2
289 -#define PPTP_START_ALREADY_CONNECTED 3
290 -#define PPTP_START_NOT_AUTHORIZED 4
291 -#define PPTP_START_UNKNOWN_PROTOCOL 5
293 -struct PptpStartSessionReply {
294 - __u16 protocolVersion;
296 - __u8 generalErrorCode;
297 - __u32 framingCapability;
298 - __u32 bearerCapability;
300 - __u16 firmwareRevision;
302 - __u8 vendorString[64];
305 -/* PptpStopReasons */
306 -#define PPTP_STOP_NONE 1
307 -#define PPTP_STOP_PROTOCOL 2
308 -#define PPTP_STOP_LOCAL_SHUTDOWN 3
310 -struct PptpStopSessionRequest {
314 -/* PptpStopSessionResultCode */
315 -#define PPTP_STOP_OK 1
316 -#define PPTP_STOP_GENERAL_ERROR 2
318 -struct PptpStopSessionReply {
320 - __u8 generalErrorCode;
323 -struct PptpEchoRequest {
327 -/* PptpEchoReplyResultCode */
328 -#define PPTP_ECHO_OK 1
329 -#define PPTP_ECHO_GENERAL_ERROR 2
331 -struct PptpEchoReply {
334 - __u8 generalErrorCode;
338 -/* PptpFramingType */
339 -#define PPTP_ASYNC_FRAMING 1
340 -#define PPTP_SYNC_FRAMING 2
341 -#define PPTP_DONT_CARE_FRAMING 3
343 -/* PptpCallBearerType */
344 -#define PPTP_ANALOG_TYPE 1
345 -#define PPTP_DIGITAL_TYPE 2
346 -#define PPTP_DONT_CARE_BEARER_TYPE 3
348 -struct PptpOutCallRequest {
350 - __u16 callSerialNumber;
355 - __u16 packetWindow;
356 - __u16 packetProcDelay;
358 - __u16 phoneNumberLength;
360 - __u8 phoneNumber[64];
361 - __u8 subAddress[64];
364 -/* PptpCallResultCode */
365 -#define PPTP_OUTCALL_CONNECT 1
366 -#define PPTP_OUTCALL_GENERAL_ERROR 2
367 -#define PPTP_OUTCALL_NO_CARRIER 3
368 -#define PPTP_OUTCALL_BUSY 4
369 -#define PPTP_OUTCALL_NO_DIAL_TONE 5
370 -#define PPTP_OUTCALL_TIMEOUT 6
371 -#define PPTP_OUTCALL_DONT_ACCEPT 7
373 -struct PptpOutCallReply {
377 - __u8 generalErrorCode;
379 - __u32 connectSpeed;
380 - __u16 packetWindow;
381 - __u16 packetProcDelay;
382 - __u32 physChannelID;
385 -struct PptpInCallRequest {
387 - __u16 callSerialNumber;
388 - __u32 callBearerType;
389 - __u32 physChannelID;
390 - __u16 dialedNumberLength;
391 - __u16 dialingNumberLength;
392 - __u8 dialedNumber[64];
393 - __u8 dialingNumber[64];
394 - __u8 subAddress[64];
397 -/* PptpInCallResultCode */
398 -#define PPTP_INCALL_ACCEPT 1
399 -#define PPTP_INCALL_GENERAL_ERROR 2
400 -#define PPTP_INCALL_DONT_ACCEPT 3
402 -struct PptpInCallReply {
406 - __u8 generalErrorCode;
407 - __u16 packetWindow;
408 - __u16 packetProcDelay;
412 -struct PptpInCallConnected {
415 - __u32 connectSpeed;
416 - __u16 packetWindow;
417 - __u16 packetProcDelay;
418 - __u32 callFramingType;
421 -struct PptpClearCallRequest {
426 -struct PptpCallDisconnectNotify {
429 - __u8 generalErrorCode;
432 - __u8 callStatistics[128];
435 -struct PptpWanErrorNotify {
439 - __u32 framingErrors;
440 - __u32 hardwareOverRuns;
441 - __u32 bufferOverRuns;
442 - __u32 timeoutErrors;
443 - __u32 alignmentErrors;
446 -struct PptpSetLinkInfo {
454 -struct pptp_priv_data {
460 -#endif /* __KERNEL__ */
461 -#endif /* _CONNTRACK_PPTP_H */
462 diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
463 --- linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2003-07-04 04:12:27.000000000 -0400
464 +++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1969-12-31 19:00:00.000000000 -0500
466 -#ifndef _CONNTRACK_PROTO_GRE_H
467 -#define _CONNTRACK_PROTO_GRE_H
468 -#include <asm/byteorder.h>
470 -/* GRE PROTOCOL HEADER */
472 -/* GRE Version field */
473 -#define GRE_VERSION_1701 0x0
474 -#define GRE_VERSION_PPTP 0x1
476 -/* GRE Protocol field */
477 -#define GRE_PROTOCOL_PPTP 0x880B
480 -#define GRE_FLAG_C 0x80
481 -#define GRE_FLAG_R 0x40
482 -#define GRE_FLAG_K 0x20
483 -#define GRE_FLAG_S 0x10
484 -#define GRE_FLAG_A 0x80
486 -#define GRE_IS_C(f) ((f)&GRE_FLAG_C)
487 -#define GRE_IS_R(f) ((f)&GRE_FLAG_R)
488 -#define GRE_IS_K(f) ((f)&GRE_FLAG_K)
489 -#define GRE_IS_S(f) ((f)&GRE_FLAG_S)
490 -#define GRE_IS_A(f) ((f)&GRE_FLAG_A)
492 -/* GRE is a mess: Four different standards */
494 -#if defined(__LITTLE_ENDIAN_BITFIELD)
504 -#elif defined(__BIG_ENDIAN_BITFIELD)
515 -#error "Adjust your <asm/byteorder.h> defines"
520 -/* modified GRE header for PPTP */
521 -struct gre_hdr_pptp {
522 - __u8 flags; /* bitfield */
523 - __u8 version; /* should be GRE_VERSION_PPTP */
524 - __u16 protocol; /* should be GRE_PROTOCOL_PPTP */
525 - __u16 payload_len; /* size of ppp payload, not inc. gre header */
526 - __u16 call_id; /* peer's call_id for this session */
527 - __u32 seq; /* sequence number. Present if S==1 */
528 - __u32 ack; /* seq number of highest packet recieved by */
529 - /* sender in this session */
533 -/* this is part of ip_conntrack */
535 - unsigned int stream_timeout;
536 - unsigned int timeout;
539 -/* this is part of ip_conntrack_expect */
540 -struct ip_ct_gre_expect {
541 - struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
546 -/* structure for original <-> reply keymap */
547 -struct ip_ct_gre_keymap {
548 - struct list_head list;
550 - struct ip_conntrack_tuple tuple;
551 - struct ip_conntrack_expect *master;
555 -/* add new tuple->key_reply pair to keymap */
556 -int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
557 - struct ip_conntrack_tuple *t,
560 -/* change an existing keymap entry */
561 -void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km,
562 - struct ip_conntrack_tuple *t);
566 -/* get pointer to gre key, if present */
567 -static inline u_int32_t *gre_key(struct gre_hdr *greh)
571 - if (greh->csum || greh->routing)
572 - return (u_int32_t *) (greh+sizeof(*greh)+4);
573 - return (u_int32_t *) (greh+sizeof(*greh));
576 -/* get pointer ot gre csum, if present */
577 -static inline u_int16_t *gre_csum(struct gre_hdr *greh)
581 - return (u_int16_t *) (greh+sizeof(*greh));
584 -#endif /* __KERNEL__ */
586 -#endif /* _CONNTRACK_PROTO_GRE_H */
587 diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tftp.h
588 --- linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 2003-07-04 04:12:27.000000000 -0400
589 +++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 1969-12-31 19:00:00.000000000 -0500
594 -#define TFTP_PORT 69
600 -#define TFTP_OPCODE_READ 1
601 -#define TFTP_OPCODE_WRITE 2
603 -#endif /* _IP_CT_TFTP */
604 diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
605 --- linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2003-07-04 04:12:27.000000000 -0400
606 +++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-05-09 04:13:03.000000000 -0400
608 union ip_conntrack_manip_proto
610 /* Add other protocols here. */
625 /* The manipulable part of the tuple. */
629 /* Add other protocols here. */
640 - u_int16_t protocol;
650 #define DUMP_TUPLE(tp) \
651 -DEBUGP("tuple %p: %u %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", \
652 +DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \
653 (tp), (tp)->dst.protonum, \
654 - NIPQUAD((tp)->src.ip), ntohl((tp)->src.u.all), \
655 - NIPQUAD((tp)->dst.ip), ntohl((tp)->dst.u.all))
657 -#define DUMP_TUPLE_RAW(x) \
658 - DEBUGP("tuple %p: %u %u.%u.%u.%u:0x%08x -> %u.%u.%u.%u:0x%08x\n",\
659 - (x), (x)->dst.protonum, \
660 - NIPQUAD((x)->src.ip), ntohl((x)->src.u.all), \
661 - NIPQUAD((x)->dst.ip), ntohl((x)->dst.u.all))
662 + NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \
663 + NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all))
665 #define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
667 diff -Nurb linux/include/linux/netfilter_ipv4/ip_nat_pptp.h linux.stock/include/linux/netfilter_ipv4/ip_nat_pptp.h
668 --- linux/include/linux/netfilter_ipv4/ip_nat_pptp.h 2003-07-04 04:12:27.000000000 -0400
669 +++ linux.stock/include/linux/netfilter_ipv4/ip_nat_pptp.h 1969-12-31 19:00:00.000000000 -0500
671 -/* PPTP constants and structs */
675 -/* conntrack private data */
676 -struct ip_nat_pptp {
677 - u_int16_t pns_call_id; /* NAT'ed PNS call id */
678 - u_int16_t pac_call_id; /* NAT'ed PAC call id */
681 -#endif /* _NAT_PPTP_H */
682 diff -Nurb linux/include/linux/netfilter_ipv4/ip_pool.h linux.stock/include/linux/netfilter_ipv4/ip_pool.h
683 --- linux/include/linux/netfilter_ipv4/ip_pool.h 2003-07-04 04:12:27.000000000 -0400
684 +++ linux.stock/include/linux/netfilter_ipv4/ip_pool.h 1969-12-31 19:00:00.000000000 -0500
689 -/***************************************************************************/
690 -/* This program is free software; you can redistribute it and/or modify */
691 -/* it under the terms of the GNU General Public License as published by */
692 -/* the Free Software Foundation; either version 2 of the License, or */
693 -/* (at your option) any later version. */
695 -/* This program is distributed in the hope that it will be useful, */
696 -/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
697 -/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
698 -/* GNU General Public License for more details. */
700 -/* You should have received a copy of the GNU General Public License */
701 -/* along with this program; if not, write to the Free Software */
702 -/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/
703 -/***************************************************************************/
705 -/* A sockopt of such quality has hardly ever been seen before on the open
706 - * market! This little beauty, hardly ever used: above 64, so it's
707 - * traditionally used for firewalling, not touched (even once!) by the
708 - * 2.0, 2.2 and 2.4 kernels!
710 - * Comes with its own certificate of authenticity, valid anywhere in the
715 -#define SO_IP_POOL 81
717 -typedef int ip_pool_t; /* pool index */
718 -#define IP_POOL_NONE ((ip_pool_t)-1)
720 -struct ip_pool_request {
727 -/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */
729 -#define IP_POOL_BAD001 0x00000010
731 -#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */
732 -#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */
733 -#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */
734 -#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */
735 -#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */
736 -#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */
737 -#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */
738 -#define IP_POOL_USAGE 0x00000018 /* result in addr */
739 -#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */
743 -/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */
744 -extern int ip_pool_match(ip_pool_t pool, u_int32_t addr);
745 -extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel);
749 -#endif /*_IP_POOL_H*/
750 diff -Nurb linux/include/linux/netfilter_ipv4/ipt_pool.h linux.stock/include/linux/netfilter_ipv4/ipt_pool.h
751 --- linux/include/linux/netfilter_ipv4/ipt_pool.h 2003-07-04 04:12:27.000000000 -0400
752 +++ linux.stock/include/linux/netfilter_ipv4/ipt_pool.h 1969-12-31 19:00:00.000000000 -0500
757 -#include <linux/netfilter_ipv4/ip_pool.h>
759 -#define IPT_POOL_INV_SRC 0x00000001
760 -#define IPT_POOL_INV_DST 0x00000002
761 -#define IPT_POOL_DEL_SRC 0x00000004
762 -#define IPT_POOL_DEL_DST 0x00000008
763 -#define IPT_POOL_INV_MOD_SRC 0x00000010
764 -#define IPT_POOL_INV_MOD_DST 0x00000020
765 -#define IPT_POOL_MOD_SRC_ACCEPT 0x00000040
766 -#define IPT_POOL_MOD_DST_ACCEPT 0x00000080
767 -#define IPT_POOL_MOD_SRC_DROP 0x00000100
768 -#define IPT_POOL_MOD_DST_DROP 0x00000200
771 -struct ipt_pool_info
778 -#endif /*_IPT_POOL_H*/
779 diff -Nurb linux/net/ipv4/netfilter/Config.in linux.stock/net/ipv4/netfilter/Config.in
780 --- linux/net/ipv4/netfilter/Config.in 2004-02-19 06:04:35.000000000 -0500
781 +++ linux.stock/net/ipv4/netfilter/Config.in 2004-05-09 04:13:03.000000000 -0400
783 tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
784 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
785 dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
786 - dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
787 - dep_tristate ' H.323 (netmeeting) support' CONFIG_IP_NF_H323 $CONFIG_IP_NF_CONNTRACK
788 dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
789 - dep_tristate ' MMS protocol support' CONFIG_IP_NF_MMS $CONFIG_IP_NF_CONNTRACK
790 - dep_tristate ' GRE protocol support' CONFIG_IP_NF_CT_PROTO_GRE $CONFIG_IP_NF_CONNTRACK
791 - dep_tristate ' PPTP protocol support' CONFIG_IP_NF_PPTP $CONFIG_IP_NF_CT_PROTO_GRE
794 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
796 if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
797 # The simple matches.
798 dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
800 - dep_tristate ' IP address pool support' CONFIG_IP_NF_POOL $CONFIG_IP_NF_IPTABLES
801 - if [ "$CONFIG_IP_NF_POOL" = "y" -o "$CONFIG_IP_NF_POOL" = "m" ]; then
802 - bool ' enable statistics on pool usage' CONFIG_IP_POOL_STATISTICS n
805 dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES
806 dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES
807 dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
808 dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
809 - dep_tristate ' Multiple port with ranges match support' CONFIG_IP_NF_MATCH_MPORT $CONFIG_IP_NF_IPTABLES
810 dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
811 - dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES
812 dep_tristate ' ECN match support' CONFIG_IP_NF_MATCH_ECN $CONFIG_IP_NF_IPTABLES
814 dep_tristate ' DSCP match support' CONFIG_IP_NF_MATCH_DSCP $CONFIG_IP_NF_IPTABLES
817 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
818 dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
819 - dep_tristate ' Webstr match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_WEBSTR $CONFIG_IP_NF_IPTABLES
820 dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
824 define_bool CONFIG_IP_NF_NAT_NEEDED y
825 dep_tristate ' MASQUERADE target support' CONFIG_IP_NF_TARGET_MASQUERADE $CONFIG_IP_NF_NAT
826 dep_tristate ' REDIRECT target support' CONFIG_IP_NF_TARGET_REDIRECT $CONFIG_IP_NF_NAT
827 - dep_tristate ' Automatic port forwarding (autofw) target support' CONFIG_IP_NF_AUTOFW $CONFIG_IP_NF_NAT
828 - dep_tristate ' TRIGGER target support (port-trigger)' CONFIG_IP_NF_TARGET_TRIGGER $CONFIG_IP_NF_NAT
829 - if [ "$CONFIG_IP_NF_H323" = "m" ]; then
830 - define_tristate CONFIG_IP_NF_NAT_H323 m
832 - if [ "$CONFIG_IP_NF_H323" = "y" ]; then
833 - define_tristate CONFIG_IP_NF_NAT_H323 $CONFIG_IP_NF_NAT
836 - if [ "$CONFIG_IP_NF_PPTP" = "m" ]; then
837 - define_tristate CONFIG_IP_NF_NAT_PPTP m
839 - if [ "$CONFIG_IP_NF_PPTP" = "y" ]; then
840 - define_tristate CONFIG_IP_NF_NAT_PPTP $CONFIG_IP_NF_NAT
843 - if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "m" ]; then
844 - define_tristate CONFIG_IP_NF_NAT_PROTO_GRE m
846 - if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "y" ]; then
847 - define_tristate CONFIG_IP_NF_NAT_PROTO_GRE $CONFIG_IP_NF_NAT
850 bool ' NAT of local connections (READ HELP)' CONFIG_IP_NF_NAT_LOCAL
851 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
852 dep_tristate ' Basic SNMP-ALG support (EXPERIMENTAL)' CONFIG_IP_NF_NAT_SNMP_BASIC $CONFIG_IP_NF_NAT
854 define_tristate CONFIG_IP_NF_NAT_IRC $CONFIG_IP_NF_NAT
857 - if [ "$CONFIG_IP_NF_MMS" = "m" ]; then
858 - define_tristate CONFIG_IP_NF_NAT_MMS m
860 - if [ "$CONFIG_IP_NF_MMS" = "y" ]; then
861 - define_tristate CONFIG_IP_NF_NAT_MMS $CONFIG_IP_NF_NAT
864 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
865 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
866 if [ "$CONFIG_IP_NF_FTP" = "m" ]; then
868 define_tristate CONFIG_IP_NF_NAT_FTP $CONFIG_IP_NF_NAT
871 - if [ "$CONFIG_IP_NF_TFTP" = "m" ]; then
872 - define_tristate CONFIG_IP_NF_NAT_TFTP m
874 - if [ "$CONFIG_IP_NF_TFTP" = "y" ]; then
875 - define_tristate CONFIG_IP_NF_NAT_TFTP $CONFIG_IP_NF_NAT
881 diff -Nurb linux/net/ipv4/netfilter/Makefile linux.stock/net/ipv4/netfilter/Makefile
882 --- linux/net/ipv4/netfilter/Makefile 2004-02-19 06:04:35.000000000 -0500
883 +++ linux.stock/net/ipv4/netfilter/Makefile 2004-05-09 04:13:03.000000000 -0400
885 # connection tracking
886 obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
889 -obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o
890 -obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o
891 -ifdef CONFIG_IP_NF_NAT_H323
892 - export-objs += ip_conntrack_h323.o
896 -# connection tracking protocol helpers
897 -obj-$(CONFIG_IP_NF_CT_PROTO_GRE) += ip_conntrack_proto_gre.o
898 -ifdef CONFIG_IP_NF_CT_PROTO_GRE
899 - export-objs += ip_conntrack_proto_gre.o
902 -# NAT protocol helpers
903 -obj-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre.o
905 # connection tracking helpers
906 -obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o
907 -ifdef CONFIG_IP_NF_NAT_MMS
908 - export-objs += ip_conntrack_mms.o
910 -obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o
911 -ifdef CONFIG_IP_NF_NAT_PPTP
912 - export-objs += ip_conntrack_pptp.o
914 -obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o
915 obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o
916 ifdef CONFIG_IP_NF_NAT_FTP
917 export-objs += ip_conntrack_ftp.o
920 obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
921 ifdef CONFIG_IP_NF_NAT_IRC
922 export-objs += ip_conntrack_irc.o
926 -obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o
927 -obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
928 obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o
929 obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
930 -obj-$(CONFIG_IP_NF_NAT_MMS) += ip_nat_mms.o
933 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
935 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
936 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
937 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
938 -obj-$(CONFIG_IP_NF_POOL) += ipt_pool.o ip_pool.o
939 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
941 obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
942 obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
944 -obj-$(CONFIG_IP_NF_MATCH_MPORT) += ipt_mport.o
946 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
947 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
949 -obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
951 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
952 obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
953 obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o
955 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
956 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
957 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
958 -obj-$(CONFIG_IP_NF_MATCH_WEBSTR) += ipt_webstr.o
959 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
963 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
964 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
965 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
966 -obj-$(CONFIG_IP_NF_AUTOFW) += ip_autofw.o
967 -obj-$(CONFIG_IP_NF_TARGET_TRIGGER) += ipt_TRIGGER.o
970 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
971 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_core.c linux.stock/net/ipv4/netfilter/ip_conntrack_core.c
972 --- linux/net/ipv4/netfilter/ip_conntrack_core.c 2003-08-12 07:33:45.000000000 -0400
973 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_core.c 2004-05-09 04:13:03.000000000 -0400
976 #define IP_CONNTRACK_VERSION "2.1"
979 +#define DEBUGP printk
981 #define DEBUGP(format, args...)
984 DECLARE_RWLOCK(ip_conntrack_lock);
985 DECLARE_RWLOCK(ip_conntrack_expect_tuple_lock);
987 struct list_head *ip_conntrack_hash;
988 static kmem_cache_t *ip_conntrack_cachep;
991 -#define MINS * 60 SECS
992 -#define HOURS * 60 MINS
993 -#define DAYS * 24 HOURS
995 -int sysctl_ip_conntrack_tcp_timeouts[10] = {
996 - 30 MINS, /* TCP_CONNTRACK_NONE, */
997 - 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
998 - 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
999 - 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
1000 - 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
1001 - 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
1002 - 10 SECS, /* TCP_CONNTRACK_CLOSE, */
1003 - 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
1004 - 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
1005 - 2 MINS, /* TCP_CONNTRACK_LISTEN, */
1008 -int sysctl_ip_conntrack_udp_timeouts[2] = {
1009 - 30 SECS, /* UNREPLIED */
1010 - 180 SECS /* ASSURED */
1013 extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
1015 static inline int proto_cmpfn(const struct ip_conntrack_protocol *curr,
1017 static inline u_int32_t
1018 hash_conntrack(const struct ip_conntrack_tuple *tuple)
1021 + dump_tuple(tuple);
1023 /* ntohl because more differences in low bits. */
1024 /* To ensure that halves of the same connection don't hash
1025 clash, we add the source per-proto again. */
1027 tuple->dst.ip = iph->daddr;
1028 tuple->dst.protonum = iph->protocol;
1030 - tuple->src.u.all = tuple->dst.u.all = 0;
1032 ret = protocol->pkt_to_tuple((u_int32_t *)iph + iph->ihl,
1036 inverse->dst.ip = orig->src.ip;
1037 inverse->dst.protonum = orig->dst.protonum;
1039 - inverse->src.u.all = inverse->dst.u.all = 0;
1041 return protocol->invert_tuple(inverse, orig);
1046 destroy_expect(struct ip_conntrack_expect *exp)
1048 - DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(&exp->use));
1049 - IP_NF_ASSERT(atomic_read(&exp->use));
1050 + DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(exp->use));
1051 + IP_NF_ASSERT(atomic_read(exp->use));
1052 IP_NF_ASSERT(!timer_pending(&exp->timeout));
1055 @@ -267,11 +247,11 @@
1056 static void unexpect_related(struct ip_conntrack_expect *expect)
1058 IP_NF_ASSERT(expect->expectant);
1059 + IP_NF_ASSERT(expect->expectant->helper);
1060 /* if we are supposed to have a timer, but we can't delete
1061 * it: race condition. __unexpect_related will
1062 * be calledd by timeout function */
1063 - if (expect->expectant->helper
1064 - && expect->expectant->helper->timeout
1065 + if (expect->expectant->helper->timeout
1066 && !del_timer(&expect->timeout))
1071 /* Locally generated ICMPs will match inverted if they
1072 haven't been SNAT'ed yet */
1073 + /* FIXME: NAT code has to handle half-done double NAT --RR */
1074 if (hooknum == NF_IP_LOCAL_OUT)
1075 h = ip_conntrack_find_get(&origtuple, NULL);
1079 /* If the expectation is dying, then this is a looser. */
1081 - && expected->expectant->helper
1082 && expected->expectant->helper->timeout
1083 && ! del_timer(&expected->timeout))
1086 conntrack->master = expected;
1087 expected->sibling = conntrack;
1088 LIST_DELETE(&ip_conntrack_expect_list, expected);
1089 - INIT_LIST_HEAD(&expected->list);
1090 expected->expectant->expecting--;
1091 nf_conntrack_get(&master_ct(conntrack)->infos[0]);
1093 @@ -821,9 +800,23 @@
1097 + /* FIXME: Do this right please. --RR */
1098 (*pskb)->nfcache |= NFC_UNKNOWN;
1100 /* Doesn't cover locally-generated broadcast, so not worth it. */
1102 + /* Ignore broadcast: no `connection'. */
1103 + if ((*pskb)->pkt_type == PACKET_BROADCAST) {
1104 + printk("Broadcast packet!\n");
1106 + } else if (((*pskb)->nh.iph->daddr & htonl(0x000000FF))
1107 + == htonl(0x000000FF)) {
1108 + printk("Should bcast: %u.%u.%u.%u->%u.%u.%u.%u (sk=%p, ptype=%u)\n",
1109 + NIPQUAD((*pskb)->nh.iph->saddr),
1110 + NIPQUAD((*pskb)->nh.iph->daddr),
1111 + (*pskb)->sk, (*pskb)->pkt_type);
1115 /* Previously seen (loopback)? Ignore. Do this before
1118 * so there is no need to use the tuple lock too */
1120 DEBUGP("ip_conntrack_expect_related %p\n", related_to);
1121 - DEBUGP("tuple: "); DUMP_TUPLE_RAW(&expect->tuple);
1122 - DEBUGP("mask: "); DUMP_TUPLE_RAW(&expect->mask);
1123 + DEBUGP("tuple: "); DUMP_TUPLE(&expect->tuple);
1124 + DEBUGP("mask: "); DUMP_TUPLE(&expect->mask);
1126 old = LIST_FIND(&ip_conntrack_expect_list, resent_expect,
1127 struct ip_conntrack_expect *, &expect->tuple,
1129 pointing into the payload - otherwise we should have to copy
1130 the data filled out by the helper over the old one */
1131 DEBUGP("expect_related: resent packet\n");
1132 - if (related_to->helper &&
1133 - related_to->helper->timeout) {
1134 + if (related_to->helper->timeout) {
1135 if (!del_timer(&old->timeout)) {
1136 /* expectation is dying. Fall through */
1138 @@ -970,32 +962,26 @@
1139 WRITE_UNLOCK(&ip_conntrack_lock);
1142 - } else if (related_to->helper &&
1143 - related_to->helper->max_expected &&
1144 + } else if (related_to->helper->max_expected &&
1145 related_to->expecting >= related_to->helper->max_expected) {
1146 struct list_head *cur_item;
1148 - if (!(related_to->helper->flags &
1149 - IP_CT_HELPER_F_REUSE_EXPECT)) {
1150 - WRITE_UNLOCK(&ip_conntrack_lock);
1151 if (net_ratelimit())
1153 "ip_conntrack: max number of expected "
1154 "connections %i of %s reached for "
1155 - "%u.%u.%u.%u->%u.%u.%u.%u\n",
1156 + "%u.%u.%u.%u->%u.%u.%u.%u%s\n",
1157 related_to->helper->max_expected,
1158 related_to->helper->name,
1159 NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
1160 - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
1161 + NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip),
1162 + related_to->helper->flags & IP_CT_HELPER_F_REUSE_EXPECT ?
1163 + ", reusing" : "");
1164 + if (!(related_to->helper->flags &
1165 + IP_CT_HELPER_F_REUSE_EXPECT)) {
1166 + WRITE_UNLOCK(&ip_conntrack_lock);
1169 - DEBUGP("ip_conntrack: max number of expected "
1170 - "connections %i of %s reached for "
1171 - "%u.%u.%u.%u->%u.%u.%u.%u, reusing\n",
1172 - related_to->helper->max_expected,
1173 - related_to->helper->name,
1174 - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
1175 - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
1177 /* choose the the oldest expectation to evict */
1178 list_for_each(cur_item, &related_to->sibling_list) {
1179 @@ -1055,8 +1041,7 @@
1180 /* add to global list of expectations */
1181 list_prepend(&ip_conntrack_expect_list, &new->list);
1182 /* add and start timer if required */
1183 - if (related_to->helper &&
1184 - related_to->helper->timeout) {
1185 + if (related_to->helper->timeout) {
1186 init_timer(&new->timeout);
1187 new->timeout.data = (unsigned long)new;
1188 new->timeout.function = expectation_timed_out;
1189 @@ -1079,10 +1064,11 @@
1191 MUST_BE_READ_LOCKED(&ip_conntrack_lock);
1192 WRITE_LOCK(&ip_conntrack_expect_tuple_lock);
1194 DEBUGP("change_expect:\n");
1195 - DEBUGP("exp tuple: "); DUMP_TUPLE_RAW(&expect->tuple);
1196 - DEBUGP("exp mask: "); DUMP_TUPLE_RAW(&expect->mask);
1197 - DEBUGP("newtuple: "); DUMP_TUPLE_RAW(newtuple);
1198 + DEBUGP("exp tuple: "); DUMP_TUPLE(&expect->tuple);
1199 + DEBUGP("exp mask: "); DUMP_TUPLE(&expect->mask);
1200 + DEBUGP("newtuple: "); DUMP_TUPLE(newtuple);
1201 if (expect->ct_tuple.dst.protonum == 0) {
1202 /* Never seen before */
1203 DEBUGP("change expect: never seen before\n");
1204 @@ -1360,8 +1346,6 @@
1207 #define NET_IP_CONNTRACK_MAX 2089
1208 -#define NET_IP_CONNTRACK_TCP_TIMEOUTS 2090
1209 -#define NET_IP_CONNTRACK_UDP_TIMEOUTS 2091
1210 #define NET_IP_CONNTRACK_MAX_NAME "ip_conntrack_max"
1212 #ifdef CONFIG_SYSCTL
1213 @@ -1370,14 +1354,6 @@
1214 static ctl_table ip_conntrack_table[] = {
1215 { NET_IP_CONNTRACK_MAX, NET_IP_CONNTRACK_MAX_NAME, &ip_conntrack_max,
1216 sizeof(ip_conntrack_max), 0644, NULL, proc_dointvec },
1217 - { NET_IP_CONNTRACK_TCP_TIMEOUTS, "ip_conntrack_tcp_timeouts",
1218 - &sysctl_ip_conntrack_tcp_timeouts,
1219 - sizeof(sysctl_ip_conntrack_tcp_timeouts),
1220 - 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies },
1221 - { NET_IP_CONNTRACK_UDP_TIMEOUTS, "ip_conntrack_udp_timeouts",
1222 - &sysctl_ip_conntrack_udp_timeouts,
1223 - sizeof(sysctl_ip_conntrack_udp_timeouts),
1224 - 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies },
1228 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_ftp.c linux.stock/net/ipv4/netfilter/ip_conntrack_ftp.c
1229 --- linux/net/ipv4/netfilter/ip_conntrack_ftp.c 2003-07-04 04:12:31.000000000 -0400
1230 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_ftp.c 2004-05-09 04:13:03.000000000 -0400
1232 static int loose = 0;
1233 MODULE_PARM(loose, "i");
1236 +#define DEBUGP printk
1238 #define DEBUGP(format, args...)
1241 static int try_rfc959(const char *, size_t, u_int32_t [], char);
1242 static int try_eprt(const char *, size_t, u_int32_t [], char);
1243 @@ -191,6 +195,16 @@
1246 if (strnicmp(data, pattern, plen) != 0) {
1250 + DEBUGP("ftp: string mismatch\n");
1251 + for (i = 0; i < plen; i++) {
1252 + DEBUGFTP("ftp:char %u `%c'(%u) vs `%c'(%u)\n",
1253 + i, data[i], data[i],
1254 + pattern[i], pattern[i]);
1264 +/* FIXME: This should be in userspace. Later. */
1265 static int help(const struct iphdr *iph, size_t len,
1266 struct ip_conntrack *ct,
1267 enum ip_conntrack_info ctinfo)
1271 /* Checksum invalid? Ignore. */
1272 + /* FIXME: Source route IP option packets --RR */
1273 if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
1274 csum_partial((char *)tcph, tcplen, 0))) {
1275 DEBUGP("ftp_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
1276 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_h323.c linux.stock/net/ipv4/netfilter/ip_conntrack_h323.c
1277 --- linux/net/ipv4/netfilter/ip_conntrack_h323.c 2003-07-04 04:12:31.000000000 -0400
1278 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_h323.c 1969-12-31 19:00:00.000000000 -0500
1281 - * H.323 'brute force' extension for H.323 connection tracking.
1282 - * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
1284 - * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project.
1285 - * (http://www.coritel.it/projects/sofia/nat/)
1286 - * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind'
1287 - * the unregistered helpers to the conntrack entries.
1291 -#include <linux/module.h>
1292 -#include <linux/netfilter.h>
1293 -#include <linux/ip.h>
1294 -#include <net/checksum.h>
1295 -#include <net/tcp.h>
1297 -#include <linux/netfilter_ipv4/lockhelp.h>
1298 -#include <linux/netfilter_ipv4/ip_conntrack.h>
1299 -#include <linux/netfilter_ipv4/ip_conntrack_core.h>
1300 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
1301 -#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
1302 -#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
1304 -MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
1305 -MODULE_DESCRIPTION("H.323 'brute force' connection tracking module");
1306 -MODULE_LICENSE("GPL");
1308 -DECLARE_LOCK(ip_h323_lock);
1309 -struct module *ip_conntrack_h323 = THIS_MODULE;
1311 -#define DEBUGP(format, args...)
1313 -static int h245_help(const struct iphdr *iph, size_t len,
1314 - struct ip_conntrack *ct,
1315 - enum ip_conntrack_info ctinfo)
1317 - struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
1318 - unsigned char *data = (unsigned char *) tcph + tcph->doff * 4;
1319 - unsigned char *data_limit;
1320 - u_int32_t tcplen = len - iph->ihl * 4;
1321 - u_int32_t datalen = tcplen - tcph->doff * 4;
1322 - int dir = CTINFO2DIR(ctinfo);
1323 - struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
1324 - struct ip_conntrack_expect expect, *exp = &expect;
1325 - struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info;
1326 - u_int16_t data_port;
1327 - u_int32_t data_ip;
1330 - DEBUGP("ct_h245_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
1331 - NIPQUAD(iph->saddr), ntohs(tcph->source),
1332 - NIPQUAD(iph->daddr), ntohs(tcph->dest));
1334 - /* Can't track connections formed before we registered */
1338 - /* Until there's been traffic both ways, don't look in packets. */
1339 - if (ctinfo != IP_CT_ESTABLISHED
1340 - && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
1341 - DEBUGP("ct_h245_help: Conntrackinfo = %u\n", ctinfo);
1345 - /* Not whole TCP header or too short packet? */
1346 - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) {
1347 - DEBUGP("ct_h245_help: tcplen = %u\n", (unsigned)tcplen);
1351 - /* Checksum invalid? Ignore. */
1352 - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
1353 - csum_partial((char *)tcph, tcplen, 0))) {
1354 - DEBUGP("ct_h245_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
1355 - tcph, tcplen, NIPQUAD(iph->saddr),
1356 - NIPQUAD(iph->daddr));
1360 - data_limit = (unsigned char *) data + datalen;
1363 - for (i = 0; data < (data_limit - 5); data++, i++) {
1364 - memcpy(&data_ip, data, sizeof(u_int32_t));
1365 - if (data_ip == iph->saddr) {
1366 - memcpy(&data_port, data + 4, sizeof(u_int16_t));
1367 - memset(&expect, 0, sizeof(expect));
1368 - /* update the H.225 info */
1369 - DEBUGP("ct_h245_help: new RTCP/RTP requested %u.%u.%u.%u:->%u.%u.%u.%u:%u\n",
1370 - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
1371 - NIPQUAD(iph->saddr), ntohs(data_port));
1372 - LOCK_BH(&ip_h323_lock);
1373 - info->is_h225 = H225_PORT + 1;
1374 - exp_info->port = data_port;
1375 - exp_info->dir = dir;
1376 - exp_info->offset = i;
1378 - exp->seq = ntohl(tcph->seq) + i;
1380 - exp->tuple = ((struct ip_conntrack_tuple)
1381 - { { ct->tuplehash[!dir].tuple.src.ip,
1386 - exp->mask = ((struct ip_conntrack_tuple)
1387 - { { 0xFFFFFFFF, { 0 } },
1388 - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
1390 - exp->expectfn = NULL;
1392 - /* Ignore failure; should only happen with NAT */
1393 - ip_conntrack_expect_related(ct, exp);
1395 - UNLOCK_BH(&ip_h323_lock);
1403 -/* H.245 helper is not registered! */
1404 -static struct ip_conntrack_helper h245 =
1406 - "H.245", /* name */
1407 - IP_CT_HELPER_F_REUSE_EXPECT, /* flags */
1408 - NULL, /* module */
1409 - 8, /* max_ expected */
1410 - 240, /* timeout */
1411 - { { 0, { 0 } }, /* tuple */
1412 - { 0, { 0 }, IPPROTO_TCP } },
1413 - { { 0, { 0xFFFF } }, /* mask */
1414 - { 0, { 0 }, 0xFFFF } },
1415 - h245_help /* helper */
1418 -static int h225_expect(struct ip_conntrack *ct)
1420 - WRITE_LOCK(&ip_conntrack_lock);
1421 - ct->helper = &h245;
1422 - DEBUGP("h225_expect: helper for %p added\n", ct);
1423 - WRITE_UNLOCK(&ip_conntrack_lock);
1425 - return NF_ACCEPT; /* unused */
1428 -static int h225_help(const struct iphdr *iph, size_t len,
1429 - struct ip_conntrack *ct,
1430 - enum ip_conntrack_info ctinfo)
1432 - struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
1433 - unsigned char *data = (unsigned char *) tcph + tcph->doff * 4;
1434 - unsigned char *data_limit;
1435 - u_int32_t tcplen = len - iph->ihl * 4;
1436 - u_int32_t datalen = tcplen - tcph->doff * 4;
1437 - int dir = CTINFO2DIR(ctinfo);
1438 - struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
1439 - struct ip_conntrack_expect expect, *exp = &expect;
1440 - struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info;
1441 - u_int16_t data_port;
1442 - u_int32_t data_ip;
1445 - DEBUGP("ct_h225_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
1446 - NIPQUAD(iph->saddr), ntohs(tcph->source),
1447 - NIPQUAD(iph->daddr), ntohs(tcph->dest));
1449 - /* Can't track connections formed before we registered */
1453 - /* Until there's been traffic both ways, don't look in packets. */
1454 - if (ctinfo != IP_CT_ESTABLISHED
1455 - && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
1456 - DEBUGP("ct_h225_help: Conntrackinfo = %u\n", ctinfo);
1460 - /* Not whole TCP header or too short packet? */
1461 - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) {
1462 - DEBUGP("ct_h225_help: tcplen = %u\n", (unsigned)tcplen);
1466 - /* Checksum invalid? Ignore. */
1467 - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
1468 - csum_partial((char *)tcph, tcplen, 0))) {
1469 - DEBUGP("ct_h225_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
1470 - tcph, tcplen, NIPQUAD(iph->saddr),
1471 - NIPQUAD(iph->daddr));
1475 - data_limit = (unsigned char *) data + datalen;
1478 - for (i = 0; data < (data_limit - 5); data++, i++) {
1479 - memcpy(&data_ip, data, sizeof(u_int32_t));
1480 - if (data_ip == iph->saddr) {
1481 - memcpy(&data_port, data + 4, sizeof(u_int16_t));
1482 - if (data_port == tcph->source) {
1483 - /* Signal address */
1484 - DEBUGP("ct_h225_help: sourceCallSignalAddress from %u.%u.%u.%u\n",
1485 - NIPQUAD(iph->saddr));
1486 - /* Update the H.225 info so that NAT can mangle the address/port
1487 - even when we have no expected connection! */
1488 -#ifdef CONFIG_IP_NF_NAT_NEEDED
1489 - LOCK_BH(&ip_h323_lock);
1491 - info->seq[IP_CT_DIR_ORIGINAL] = ntohl(tcph->seq) + i;
1492 - info->offset[IP_CT_DIR_ORIGINAL] = i;
1493 - UNLOCK_BH(&ip_h323_lock);
1496 - memset(&expect, 0, sizeof(expect));
1498 - /* update the H.225 info */
1499 - LOCK_BH(&ip_h323_lock);
1500 - info->is_h225 = H225_PORT;
1501 - exp_info->port = data_port;
1502 - exp_info->dir = dir;
1503 - exp_info->offset = i;
1505 - exp->seq = ntohl(tcph->seq) + i;
1507 - exp->tuple = ((struct ip_conntrack_tuple)
1508 - { { ct->tuplehash[!dir].tuple.src.ip,
1513 - exp->mask = ((struct ip_conntrack_tuple)
1514 - { { 0xFFFFFFFF, { 0 } },
1515 - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
1517 - exp->expectfn = h225_expect;
1519 - /* Ignore failure */
1520 - ip_conntrack_expect_related(ct, exp);
1522 - DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n",
1523 - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
1524 - NIPQUAD(iph->saddr), ntohs(data_port));
1526 - UNLOCK_BH(&ip_h323_lock);
1528 -#ifdef CONFIG_IP_NF_NAT_NEEDED
1529 - } else if (data_ip == iph->daddr) {
1530 - memcpy(&data_port, data + 4, sizeof(u_int16_t));
1531 - if (data_port == tcph->dest) {
1532 - /* Signal address */
1533 - DEBUGP("ct_h225_help: destCallSignalAddress %u.%u.%u.%u\n",
1534 - NIPQUAD(iph->daddr));
1535 - /* Update the H.225 info so that NAT can mangle the address/port
1536 - even when we have no expected connection! */
1537 - LOCK_BH(&ip_h323_lock);
1539 - info->seq[IP_CT_DIR_REPLY] = ntohl(tcph->seq) + i;
1540 - info->offset[IP_CT_DIR_REPLY] = i;
1541 - UNLOCK_BH(&ip_h323_lock);
1551 -static struct ip_conntrack_helper h225 =
1553 - "H.225", /* name */
1554 - IP_CT_HELPER_F_REUSE_EXPECT, /* flags */
1555 - THIS_MODULE, /* module */
1556 - 2, /* max_expected */
1557 - 240, /* timeout */
1558 - { { 0, { __constant_htons(H225_PORT) } }, /* tuple */
1559 - { 0, { 0 }, IPPROTO_TCP } },
1560 - { { 0, { 0xFFFF } }, /* mask */
1561 - { 0, { 0 }, 0xFFFF } },
1562 - h225_help /* helper */
1565 -static int __init init(void)
1567 - return ip_conntrack_helper_register(&h225);
1570 -static void __exit fini(void)
1572 - /* Unregister H.225 helper */
1573 - ip_conntrack_helper_unregister(&h225);
1576 -#ifdef CONFIG_IP_NF_NAT_NEEDED
1577 -EXPORT_SYMBOL(ip_h323_lock);
1582 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_mms.c linux.stock/net/ipv4/netfilter/ip_conntrack_mms.c
1583 --- linux/net/ipv4/netfilter/ip_conntrack_mms.c 2003-07-04 04:12:31.000000000 -0400
1584 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_mms.c 1969-12-31 19:00:00.000000000 -0500
1586 -/* MMS extension for IP connection tracking
1587 - * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
1588 - * based on ip_conntrack_ftp.c and ip_conntrack_irc.c
1590 - * ip_conntrack_mms.c v0.3 2002-09-22
1592 - * This program is free software; you can redistribute it and/or
1593 - * modify it under the terms of the GNU General Public License
1594 - * as published by the Free Software Foundation; either version
1595 - * 2 of the License, or (at your option) any later version.
1597 - * Module load syntax:
1598 - * insmod ip_conntrack_mms.o ports=port1,port2,...port<MAX_PORTS>
1600 - * Please give the ports of all MMS servers You wish to connect to.
1601 - * If you don't specify ports, the default will be TCP port 1755.
1603 - * More info on MMS protocol, firewalls and NAT:
1604 - * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp
1605 - * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp
1607 - * The SDP project people are reverse-engineering MMS:
1608 - * http://get.to/sdp
1611 -#include <linux/config.h>
1612 -#include <linux/module.h>
1613 -#include <linux/netfilter.h>
1614 -#include <linux/ip.h>
1615 -#include <linux/ctype.h>
1616 -#include <net/checksum.h>
1617 -#include <net/tcp.h>
1619 -#include <linux/netfilter_ipv4/lockhelp.h>
1620 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
1621 -#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
1623 -DECLARE_LOCK(ip_mms_lock);
1624 -struct module *ip_conntrack_mms = THIS_MODULE;
1626 -#define MAX_PORTS 8
1627 -static int ports[MAX_PORTS];
1628 -static int ports_c;
1630 -MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
1633 -#define DEBUGP(format, args...)
1635 -#ifdef CONFIG_IP_NF_NAT_NEEDED
1636 -EXPORT_SYMBOL(ip_mms_lock);
1639 -MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
1640 -MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) connection tracking module");
1641 -MODULE_LICENSE("GPL");
1643 -/* #define isdigit(c) (c >= '0' && c <= '9') */
1645 -/* copied from drivers/usb/serial/io_edgeport.c - not perfect but will do the trick */
1646 -static void unicode_to_ascii (char *string, short *unicode, int unicode_size)
1649 - for (i = 0; i < unicode_size; ++i) {
1650 - string[i] = (char)(unicode[i]);
1652 - string[unicode_size] = 0x00;
1655 -__inline static int atoi(char *s)
1658 - while (isdigit(*s)) {
1659 - i = i*10 + *(s++) - '0';
1664 -/* convert ip address string like "192.168.0.10" to unsigned int */
1665 -__inline static u_int32_t asciiiptoi(char *s)
1667 - unsigned int i, j, k;
1669 - for(i=k=0; k<3; ++k, ++s, i<<=8) {
1671 - for(j=0; (*(++s) != '.') && (j<3); ++j)
1678 -int parse_mms(const char *data,
1679 - const unsigned int datalen,
1680 - u_int32_t *mms_ip,
1681 - u_int16_t *mms_proto,
1682 - u_int16_t *mms_port,
1683 - char **mms_string_b,
1684 - char **mms_string_e,
1685 - char **mms_padding_e)
1687 - int unicode_size, i;
1688 - char tempstring[28]; /* "\\255.255.255.255\UDP\65535" */
1689 - char getlengthstring[28];
1691 - for(unicode_size=0;
1692 - (char) *(data+(MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2)) != (char)0;
1694 - if ((unicode_size == 28) || (MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2 >= datalen))
1695 - return -1; /* out of bounds - incomplete packet */
1697 - unicode_to_ascii(tempstring, (short *)(data+MMS_SRV_UNICODE_STRING_OFFSET), unicode_size);
1698 - DEBUGP("ip_conntrack_mms: offset 60: %s\n", (const char *)(tempstring));
1700 - /* IP address ? */
1701 - *mms_ip = asciiiptoi(tempstring+2);
1703 - i=sprintf(getlengthstring, "%u.%u.%u.%u", HIPQUAD(*mms_ip));
1706 - if(strncmp(tempstring+3+i, "TCP", 3)==0)
1707 - *mms_proto = IPPROTO_TCP;
1708 - else if(strncmp(tempstring+3+i, "UDP", 3)==0)
1709 - *mms_proto = IPPROTO_UDP;
1712 - *mms_port = atoi(tempstring+7+i);
1714 - /* we store a pointer to the beginning of the "\\a.b.c.d\proto\port"
1715 - unicode string, one to the end of the string, and one to the end
1716 - of the packet, since we must keep track of the number of bytes
1717 - between end of the unicode string and the end of packet (padding) */
1718 - *mms_string_b = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET);
1719 - *mms_string_e = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET + unicode_size * 2);
1720 - *mms_padding_e = (char *)(data + datalen); /* looks funny, doesn't it */
1725 -static int help(const struct iphdr *iph, size_t len,
1726 - struct ip_conntrack *ct,
1727 - enum ip_conntrack_info ctinfo)
1729 - /* tcplen not negative guaranteed by ip_conntrack_tcp.c */
1730 - struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
1731 - const char *data = (const char *)tcph + tcph->doff * 4;
1732 - unsigned int tcplen = len - iph->ihl * 4;
1733 - unsigned int datalen = tcplen - tcph->doff * 4;
1734 - int dir = CTINFO2DIR(ctinfo);
1735 - struct ip_conntrack_expect expect, *exp = &expect;
1736 - struct ip_ct_mms_expect *exp_mms_info = &exp->help.exp_mms_info;
1739 - u_int16_t mms_proto;
1740 - char mms_proto_string[8];
1741 - u_int16_t mms_port;
1742 - char *mms_string_b, *mms_string_e, *mms_padding_e;
1744 - /* Until there's been traffic both ways, don't look in packets. */
1745 - if (ctinfo != IP_CT_ESTABLISHED
1746 - && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
1747 - DEBUGP("ip_conntrack_mms: Conntrackinfo = %u\n", ctinfo);
1751 - /* Not whole TCP header? */
1752 - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) {
1753 - DEBUGP("ip_conntrack_mms: tcplen = %u\n", (unsigned)tcplen);
1757 - /* Checksum invalid? Ignore. */
1758 - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
1759 - csum_partial((char *)tcph, tcplen, 0))) {
1760 - DEBUGP("mms_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
1761 - tcph, tcplen, NIPQUAD(iph->saddr),
1762 - NIPQUAD(iph->daddr));
1766 - /* Only look at packets with 0x00030002/196610 on bytes 36->39 of TCP payload */
1767 - if( (MMS_SRV_MSG_OFFSET < datalen) &&
1768 - ((*(u32 *)(data+MMS_SRV_MSG_OFFSET)) == MMS_SRV_MSG_ID)) {
1769 - DEBUGP("ip_conntrack_mms: offset 37: %u %u %u %u, datalen:%u\n",
1770 - (u8)*(data+36), (u8)*(data+37),
1771 - (u8)*(data+38), (u8)*(data+39),
1773 - if(parse_mms(data, datalen, &mms_ip, &mms_proto, &mms_port,
1774 - &mms_string_b, &mms_string_e, &mms_padding_e))
1775 - if(net_ratelimit())
1776 - printk(KERN_WARNING
1777 - "ip_conntrack_mms: Unable to parse data payload\n");
1779 - memset(&expect, 0, sizeof(expect));
1781 - sprintf(mms_proto_string, "(%u)", mms_proto);
1782 - DEBUGP("ip_conntrack_mms: adding %s expectation %u.%u.%u.%u -> %u.%u.%u.%u:%u\n",
1783 - mms_proto == IPPROTO_TCP ? "TCP"
1784 - : mms_proto == IPPROTO_UDP ? "UDP":mms_proto_string,
1785 - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
1789 - /* it's possible that the client will just ask the server to tunnel
1790 - the stream over the same TCP session (from port 1755): there's
1791 - shouldn't be a need to add an expectation in that case, but it
1792 - makes NAT packet mangling so much easier */
1793 - LOCK_BH(&ip_mms_lock);
1795 - DEBUGP("ip_conntrack_mms: tcph->seq = %u\n", tcph->seq);
1797 - exp->seq = ntohl(tcph->seq) + (mms_string_b - data);
1798 - exp_mms_info->len = (mms_string_e - mms_string_b);
1799 - exp_mms_info->padding = (mms_padding_e - mms_string_e);
1800 - exp_mms_info->port = mms_port;
1802 - DEBUGP("ip_conntrack_mms: wrote info seq=%u (ofs=%u), len=%d, padding=%u\n",
1803 - exp->seq, (mms_string_e - data), exp_mms_info->len, exp_mms_info->padding);
1805 - exp->tuple = ((struct ip_conntrack_tuple)
1806 - { { ct->tuplehash[!dir].tuple.src.ip, { 0 } },
1808 - { (__u16) ntohs(mms_port) },
1811 - exp->mask = ((struct ip_conntrack_tuple)
1812 - { { 0xFFFFFFFF, { 0 } },
1813 - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
1814 - exp->expectfn = NULL;
1815 - ip_conntrack_expect_related(ct, &expect);
1816 - UNLOCK_BH(&ip_mms_lock);
1822 -static struct ip_conntrack_helper mms[MAX_PORTS];
1823 -static char mms_names[MAX_PORTS][10];
1825 -/* Not __exit: called from init() */
1826 -static void fini(void)
1829 - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
1830 - DEBUGP("ip_conntrack_mms: unregistering helper for port %d\n",
1832 - ip_conntrack_helper_unregister(&mms[i]);
1836 -static int __init init(void)
1841 - if (ports[0] == 0)
1842 - ports[0] = MMS_PORT;
1844 - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
1845 - memset(&mms[i], 0, sizeof(struct ip_conntrack_helper));
1846 - mms[i].tuple.src.u.tcp.port = htons(ports[i]);
1847 - mms[i].tuple.dst.protonum = IPPROTO_TCP;
1848 - mms[i].mask.src.u.tcp.port = 0xFFFF;
1849 - mms[i].mask.dst.protonum = 0xFFFF;
1850 - mms[i].max_expected = 1;
1851 - mms[i].timeout = 0;
1852 - mms[i].flags = IP_CT_HELPER_F_REUSE_EXPECT;
1853 - mms[i].me = THIS_MODULE;
1854 - mms[i].help = help;
1856 - tmpname = &mms_names[i][0];
1857 - if (ports[i] == MMS_PORT)
1858 - sprintf(tmpname, "mms");
1860 - sprintf(tmpname, "mms-%d", ports[i]);
1861 - mms[i].name = tmpname;
1863 - DEBUGP("ip_conntrack_mms: registering helper for port %d\n",
1865 - ret = ip_conntrack_helper_register(&mms[i]);
1878 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_pptp.c linux.stock/net/ipv4/netfilter/ip_conntrack_pptp.c
1879 --- linux/net/ipv4/netfilter/ip_conntrack_pptp.c 2003-07-04 04:12:31.000000000 -0400
1880 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_pptp.c 1969-12-31 19:00:00.000000000 -0500
1883 - * ip_conntrack_pptp.c - Version 1.11
1885 - * Connection tracking support for PPTP (Point to Point Tunneling Protocol).
1886 - * PPTP is a a protocol for creating virtual private networks.
1887 - * It is a specification defined by Microsoft and some vendors
1888 - * working with Microsoft. PPTP is built on top of a modified
1889 - * version of the Internet Generic Routing Encapsulation Protocol.
1890 - * GRE is defined in RFC 1701 and RFC 1702. Documentation of
1891 - * PPTP can be found in RFC 2637
1893 - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>,
1895 - * Development of this code funded by Astaro AG (http://www.astaro.com/)
1898 - * - We blindly assume that control connections are always
1899 - * established in PNS->PAC direction. This is a violation
1902 - * TODO: - finish support for multiple calls within one session
1903 - * (needs expect reservations in newnat)
1904 - * - testing of incoming PPTP calls
1907 -#include <linux/config.h>
1908 -#include <linux/module.h>
1909 -#include <linux/netfilter.h>
1910 -#include <linux/ip.h>
1911 -#include <net/checksum.h>
1912 -#include <net/tcp.h>
1914 -#include <linux/netfilter_ipv4/lockhelp.h>
1915 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
1916 -#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
1917 -#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
1919 -MODULE_LICENSE("GPL");
1920 -MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
1921 -MODULE_DESCRIPTION("Netfilter connection tracking helper module for PPTP");
1923 -DECLARE_LOCK(ip_pptp_lock);
1925 -#define DEBUGP(format, args...)
1928 -#define MINS * 60 SECS
1929 -#define HOURS * 60 MINS
1930 -#define DAYS * 24 HOURS
1932 -#define PPTP_GRE_TIMEOUT (10 MINS)
1933 -#define PPTP_GRE_STREAM_TIMEOUT (5 DAYS)
1935 -static int pptp_expectfn(struct ip_conntrack *ct)
1937 - struct ip_conntrack_expect *exp, *other_exp;
1938 - struct ip_conntrack *master;
1940 - DEBUGP("increasing timeouts\n");
1941 - /* increase timeout of GRE data channel conntrack entry */
1942 - ct->proto.gre.timeout = PPTP_GRE_TIMEOUT;
1943 - ct->proto.gre.stream_timeout = PPTP_GRE_STREAM_TIMEOUT;
1945 - master = master_ct(ct);
1947 - DEBUGP(" no master!!!\n");
1951 - DEBUGP("completing tuples with ct info\n");
1952 - /* we can do this, since we're unconfirmed */
1953 - if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.gre.key ==
1954 - htonl(master->help.ct_pptp_info.pac_call_id)) {
1955 - /* assume PNS->PAC */
1956 - ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
1957 - htonl(master->help.ct_pptp_info.pns_call_id);
1958 - ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
1959 - htonl(master->help.ct_pptp_info.pns_call_id);
1961 - /* assume PAC->PNS */
1962 - ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
1963 - htonl(master->help.ct_pptp_info.pac_call_id);
1964 - ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
1965 - htonl(master->help.ct_pptp_info.pns_call_id);
1971 -/* timeout GRE data connections */
1972 -static int pptp_timeout_related(struct ip_conntrack *ct)
1974 - struct list_head *cur_item;
1975 - struct ip_conntrack_expect *exp;
1977 - list_for_each(cur_item, &ct->sibling_list) {
1978 - exp = list_entry(cur_item, struct ip_conntrack_expect,
1981 - if (!exp->sibling)
1984 - DEBUGP("setting timeout of conntrack %p to 0\n",
1986 - exp->sibling->proto.gre.timeout = 0;
1987 - exp->sibling->proto.gre.stream_timeout = 0;
1988 - ip_ct_refresh(exp->sibling, 0);
1994 -/* expect GRE connection in PNS->PAC direction */
1996 -exp_gre(struct ip_conntrack *master,
1999 - u_int16_t peer_callid)
2001 - struct ip_conntrack_expect exp;
2002 - struct ip_conntrack_tuple inv_tuple;
2004 - memset(&exp, 0, sizeof(exp));
2005 - /* tuple in original direction, PAC->PNS */
2006 - exp.tuple.src.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
2007 - exp.tuple.src.u.gre.key = htonl(ntohs(peer_callid));
2008 - exp.tuple.dst.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
2009 - exp.tuple.dst.u.gre.key = htonl(ntohs(callid));
2010 - exp.tuple.dst.u.gre.protocol = __constant_htons(GRE_PROTOCOL_PPTP);
2011 - exp.tuple.dst.u.gre.version = GRE_VERSION_PPTP;
2012 - exp.tuple.dst.protonum = IPPROTO_GRE;
2014 - exp.mask.src.ip = 0xffffffff;
2015 - exp.mask.src.u.all = 0;
2016 - exp.mask.dst.u.all = 0;
2017 - exp.mask.dst.u.gre.key = 0xffffffff;
2018 - exp.mask.dst.u.gre.version = 0xff;
2019 - exp.mask.dst.u.gre.protocol = 0xffff;
2020 - exp.mask.dst.ip = 0xffffffff;
2021 - exp.mask.dst.protonum = 0xffff;
2024 - exp.expectfn = pptp_expectfn;
2026 - exp.help.exp_pptp_info.pac_call_id = ntohs(callid);
2027 - exp.help.exp_pptp_info.pns_call_id = ntohs(peer_callid);
2029 - DEBUGP("calling expect_related ");
2030 - DUMP_TUPLE_RAW(&exp.tuple);
2032 - /* Add GRE keymap entries */
2033 - ip_ct_gre_keymap_add(&exp, &exp.tuple, 0);
2034 - invert_tuplepr(&inv_tuple, &exp.tuple);
2035 - ip_ct_gre_keymap_add(&exp, &inv_tuple, 1);
2037 - ip_conntrack_expect_related(master, &exp);
2043 -pptp_inbound_pkt(struct tcphdr *tcph,
2044 - struct pptp_pkt_hdr *pptph,
2046 - struct ip_conntrack *ct,
2047 - enum ip_conntrack_info ctinfo)
2049 - struct PptpControlHeader *ctlh;
2050 - union pptp_ctrl_union pptpReq;
2052 - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
2053 - u_int16_t msg, *cid, *pcid;
2056 - ctlh = (struct PptpControlHeader *)
2057 - ((char *) pptph + sizeof(struct pptp_pkt_hdr));
2058 - pptpReq.rawreq = (void *)
2059 - ((char *) ctlh + sizeof(struct PptpControlHeader));
2061 - msg = ntohs(ctlh->messageType);
2062 - DEBUGP("inbound control message %s\n", strMName[msg]);
2065 - case PPTP_START_SESSION_REPLY:
2066 - /* server confirms new control session */
2067 - if (info->sstate < PPTP_SESSION_REQUESTED) {
2068 - DEBUGP("%s without START_SESS_REQUEST\n",
2072 - if (pptpReq.srep->resultCode == PPTP_START_OK)
2073 - info->sstate = PPTP_SESSION_CONFIRMED;
2075 - info->sstate = PPTP_SESSION_ERROR;
2078 - case PPTP_STOP_SESSION_REPLY:
2079 - /* server confirms end of control session */
2080 - if (info->sstate > PPTP_SESSION_STOPREQ) {
2081 - DEBUGP("%s without STOP_SESS_REQUEST\n",
2085 - if (pptpReq.strep->resultCode == PPTP_STOP_OK)
2086 - info->sstate = PPTP_SESSION_NONE;
2088 - info->sstate = PPTP_SESSION_ERROR;
2091 - case PPTP_OUT_CALL_REPLY:
2092 - /* server accepted call, we now expect GRE frames */
2093 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2094 - DEBUGP("%s but no session\n", strMName[msg]);
2097 - if (info->cstate != PPTP_CALL_OUT_REQ &&
2098 - info->cstate != PPTP_CALL_OUT_CONF) {
2099 - DEBUGP("%s without OUTCALL_REQ\n", strMName[msg]);
2102 - if (pptpReq.ocack->resultCode != PPTP_OUTCALL_CONNECT) {
2103 - info->cstate = PPTP_CALL_NONE;
2107 - cid = &pptpReq.ocack->callID;
2108 - pcid = &pptpReq.ocack->peersCallID;
2110 - info->pac_call_id = ntohs(*cid);
2112 - if (htons(info->pns_call_id) != *pcid) {
2113 - DEBUGP("%s for unknown callid %u\n",
2114 - strMName[msg], ntohs(*pcid));
2118 - DEBUGP("%s, CID=%X, PCID=%X\n", strMName[msg],
2119 - ntohs(*cid), ntohs(*pcid));
2121 - info->cstate = PPTP_CALL_OUT_CONF;
2123 - seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph);
2124 - exp_gre(ct, seq, *cid, *pcid);
2127 - case PPTP_IN_CALL_REQUEST:
2128 - /* server tells us about incoming call request */
2129 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2130 - DEBUGP("%s but no session\n", strMName[msg]);
2133 - pcid = &pptpReq.icack->peersCallID;
2134 - DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid));
2135 - info->cstate = PPTP_CALL_IN_REQ;
2136 - info->pac_call_id= ntohs(*pcid);
2139 - case PPTP_IN_CALL_CONNECT:
2140 - /* server tells us about incoming call established */
2141 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2142 - DEBUGP("%s but no session\n", strMName[msg]);
2145 - if (info->sstate != PPTP_CALL_IN_REP
2146 - && info->sstate != PPTP_CALL_IN_CONF) {
2147 - DEBUGP("%s but never sent IN_CALL_REPLY\n",
2152 - pcid = &pptpReq.iccon->peersCallID;
2153 - cid = &info->pac_call_id;
2155 - if (info->pns_call_id != ntohs(*pcid)) {
2156 - DEBUGP("%s for unknown CallID %u\n",
2157 - strMName[msg], ntohs(*cid));
2161 - DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid));
2162 - info->cstate = PPTP_CALL_IN_CONF;
2164 - /* we expect a GRE connection from PAC to PNS */
2165 - seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph);
2166 - exp_gre(ct, seq, *cid, *pcid);
2170 - case PPTP_CALL_DISCONNECT_NOTIFY:
2171 - /* server confirms disconnect */
2172 - cid = &pptpReq.disc->callID;
2173 - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid));
2174 - info->cstate = PPTP_CALL_NONE;
2176 - /* untrack this call id, unexpect GRE packets */
2177 - pptp_timeout_related(ct);
2178 - /* NEWNAT: look up exp for call id and unexpct_related */
2181 - case PPTP_WAN_ERROR_NOTIFY:
2184 - case PPTP_ECHO_REQUEST:
2185 - case PPTP_ECHO_REPLY:
2186 - /* I don't have to explain these ;) */
2189 - DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX)
2190 - ? strMName[msg]:strMName[0], msg);
2199 -pptp_outbound_pkt(struct tcphdr *tcph,
2200 - struct pptp_pkt_hdr *pptph,
2202 - struct ip_conntrack *ct,
2203 - enum ip_conntrack_info ctinfo)
2205 - struct PptpControlHeader *ctlh;
2206 - union pptp_ctrl_union pptpReq;
2207 - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
2208 - u_int16_t msg, *cid, *pcid;
2210 - ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
2211 - pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh));
2213 - msg = ntohs(ctlh->messageType);
2214 - DEBUGP("outbound control message %s\n", strMName[msg]);
2217 - case PPTP_START_SESSION_REQUEST:
2218 - /* client requests for new control session */
2219 - if (info->sstate != PPTP_SESSION_NONE) {
2220 - DEBUGP("%s but we already have one",
2223 - info->sstate = PPTP_SESSION_REQUESTED;
2225 - case PPTP_STOP_SESSION_REQUEST:
2226 - /* client requests end of control session */
2227 - info->sstate = PPTP_SESSION_STOPREQ;
2230 - case PPTP_OUT_CALL_REQUEST:
2231 - /* client initiating connection to server */
2232 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2233 - DEBUGP("%s but no session\n",
2237 - info->cstate = PPTP_CALL_OUT_REQ;
2238 - /* track PNS call id */
2239 - cid = &pptpReq.ocreq->callID;
2240 - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid));
2241 - info->pns_call_id = ntohs(*cid);
2243 - case PPTP_IN_CALL_REPLY:
2244 - /* client answers incoming call */
2245 - if (info->cstate != PPTP_CALL_IN_REQ
2246 - && info->cstate != PPTP_CALL_IN_REP) {
2247 - DEBUGP("%s without incall_req\n",
2251 - if (pptpReq.icack->resultCode != PPTP_INCALL_ACCEPT) {
2252 - info->cstate = PPTP_CALL_NONE;
2255 - pcid = &pptpReq.icack->peersCallID;
2256 - if (info->pac_call_id != ntohs(*pcid)) {
2257 - DEBUGP("%s for unknown call %u\n",
2258 - strMName[msg], ntohs(*pcid));
2261 - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*pcid));
2262 - /* part two of the three-way handshake */
2263 - info->cstate = PPTP_CALL_IN_REP;
2264 - info->pns_call_id = ntohs(pptpReq.icack->callID);
2267 - case PPTP_CALL_CLEAR_REQUEST:
2268 - /* client requests hangup of call */
2269 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2270 - DEBUGP("CLEAR_CALL but no session\n");
2273 - /* FUTURE: iterate over all calls and check if
2274 - * call ID is valid. We don't do this without newnat,
2275 - * because we only know about last call */
2276 - info->cstate = PPTP_CALL_CLEAR_REQ;
2278 - case PPTP_SET_LINK_INFO:
2280 - case PPTP_ECHO_REQUEST:
2281 - case PPTP_ECHO_REPLY:
2282 - /* I don't have to explain these ;) */
2285 - DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX)?
2286 - strMName[msg]:strMName[0], msg);
2287 - /* unknown: no need to create GRE masq table entry */
2295 -/* track caller id inside control connection, call expect_related */
2297 -conntrack_pptp_help(const struct iphdr *iph, size_t len,
2298 - struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
2301 - struct pptp_pkt_hdr *pptph;
2303 - struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
2304 - u_int32_t tcplen = len - iph->ihl * 4;
2305 - u_int32_t datalen = tcplen - tcph->doff * 4;
2307 - int dir = CTINFO2DIR(ctinfo);
2308 - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
2310 - int oldsstate, oldcstate;
2313 - /* don't do any tracking before tcp handshake complete */
2314 - if (ctinfo != IP_CT_ESTABLISHED
2315 - && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
2316 - DEBUGP("ctinfo = %u, skipping\n", ctinfo);
2320 - /* not a complete TCP header? */
2321 - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) {
2322 - DEBUGP("tcplen = %u\n", tcplen);
2326 - /* checksum invalid? */
2327 - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
2328 - csum_partial((char *) tcph, tcplen, 0))) {
2329 - printk(KERN_NOTICE __FILE__ ": bad csum\n");
2330 -// return NF_ACCEPT;
2333 - if (tcph->fin || tcph->rst) {
2334 - DEBUGP("RST/FIN received, timeouting GRE\n");
2335 - /* can't do this after real newnat */
2336 - info->cstate = PPTP_CALL_NONE;
2338 - /* untrack this call id, unexpect GRE packets */
2339 - pptp_timeout_related(ct);
2340 - /* no need to call unexpect_related since master conn
2345 - pptph = (struct pptp_pkt_hdr *) ((void *) tcph + tcph->doff * 4);
2346 - datalimit = (void *) pptph + datalen;
2348 - /* not a full pptp packet header? */
2349 - if ((void *) pptph+sizeof(*pptph) >= datalimit) {
2350 - DEBUGP("no full PPTP header, can't track\n");
2354 - /* if it's not a control message we can't do anything with it */
2355 - if (ntohs(pptph->packetType) != PPTP_PACKET_CONTROL ||
2356 - ntohl(pptph->magicCookie) != PPTP_MAGIC_COOKIE) {
2357 - DEBUGP("not a control packet\n");
2361 - oldsstate = info->sstate;
2362 - oldcstate = info->cstate;
2364 - LOCK_BH(&ip_pptp_lock);
2366 - if (dir == IP_CT_DIR_ORIGINAL)
2367 - /* client -> server (PNS -> PAC) */
2368 - ret = pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo);
2370 - /* server -> client (PAC -> PNS) */
2371 - ret = pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo);
2372 - DEBUGP("sstate: %d->%d, cstate: %d->%d\n",
2373 - oldsstate, info->sstate, oldcstate, info->cstate);
2374 - UNLOCK_BH(&ip_pptp_lock);
2379 -/* control protocol helper */
2380 -static struct ip_conntrack_helper pptp = {
2382 - "pptp", IP_CT_HELPER_F_REUSE_EXPECT, THIS_MODULE, 2, 0,
2383 - { { 0, { tcp: { port: __constant_htons(PPTP_CONTROL_PORT) } } },
2384 - { 0, { 0 }, IPPROTO_TCP } },
2385 - { { 0, { tcp: { port: 0xffff } } },
2386 - { 0, { 0 }, 0xffff } },
2387 - conntrack_pptp_help };
2389 -/* ip_conntrack_pptp initialization */
2390 -static int __init init(void)
2394 - DEBUGP(__FILE__ ": registering helper\n");
2395 - if ((retcode = ip_conntrack_helper_register(&pptp))) {
2396 - printk(KERN_ERR "Unable to register conntrack application "
2397 - "helper for pptp: %d\n", retcode);
2404 -static void __exit fini(void)
2406 - ip_conntrack_helper_unregister(&pptp);
2412 -EXPORT_SYMBOL(ip_pptp_lock);
2413 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_pptp_priv.h linux.stock/net/ipv4/netfilter/ip_conntrack_pptp_priv.h
2414 --- linux/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 2003-07-04 04:12:31.000000000 -0400
2415 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 1969-12-31 19:00:00.000000000 -0500
2417 -#ifndef _IP_CT_PPTP_PRIV_H
2418 -#define _IP_CT_PPTP_PRIV_H
2420 -/* PptpControlMessageType names */
2421 -static const char *strMName[] = {
2422 - "UNKNOWN_MESSAGE",
2423 - "START_SESSION_REQUEST",
2424 - "START_SESSION_REPLY",
2425 - "STOP_SESSION_REQUEST",
2426 - "STOP_SESSION_REPLY",
2429 - "OUT_CALL_REQUEST",
2431 - "IN_CALL_REQUEST",
2433 - "IN_CALL_CONNECT",
2434 - "CALL_CLEAR_REQUEST",
2435 - "CALL_DISCONNECT_NOTIFY",
2436 - "WAN_ERROR_NOTIFY",
2441 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c linux.stock/net/ipv4/netfilter/ip_conntrack_proto_gre.c
2442 --- linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c 2003-07-04 04:12:31.000000000 -0400
2443 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_proto_gre.c 1969-12-31 19:00:00.000000000 -0500
2446 - * ip_conntrack_proto_gre.c - Version 1.11
2448 - * Connection tracking protocol helper module for GRE.
2450 - * GRE is a generic encapsulation protocol, which is generally not very
2451 - * suited for NAT, as it has no protocol-specific part as port numbers.
2453 - * It has an optional key field, which may help us distinguishing two
2454 - * connections between the same two hosts.
2456 - * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
2458 - * PPTP is built on top of a modified version of GRE, and has a mandatory
2459 - * field called "CallID", which serves us for the same purpose as the key
2460 - * field in plain GRE.
2462 - * Documentation about PPTP can be found in RFC 2637
2464 - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
2466 - * Development of this code funded by Astaro AG (http://www.astaro.com/)
2470 -#include <linux/config.h>
2471 -#include <linux/module.h>
2472 -#include <linux/types.h>
2473 -#include <linux/timer.h>
2474 -#include <linux/netfilter.h>
2475 -#include <linux/ip.h>
2476 -#include <linux/in.h>
2477 -#include <linux/list.h>
2479 -#include <linux/netfilter_ipv4/lockhelp.h>
2481 -DECLARE_RWLOCK(ip_ct_gre_lock);
2482 -#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_ct_gre_lock)
2483 -#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_ct_gre_lock)
2485 -#include <linux/netfilter_ipv4/listhelp.h>
2486 -#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
2487 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
2488 -#include <linux/netfilter_ipv4/ip_conntrack_core.h>
2490 -#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
2491 -#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
2493 -MODULE_LICENSE("GPL");
2494 -MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
2495 -MODULE_DESCRIPTION("netfilter connection tracking protocol helper for GRE");
2497 -/* shamelessly stolen from ip_conntrack_proto_udp.c */
2498 -#define GRE_TIMEOUT (30*HZ)
2499 -#define GRE_STREAM_TIMEOUT (180*HZ)
2501 -#define DEBUGP(x, args...)
2502 -#define DUMP_TUPLE_GRE(x)
2504 -/* GRE KEYMAP HANDLING FUNCTIONS */
2505 -static LIST_HEAD(gre_keymap_list);
2507 -static inline int gre_key_cmpfn(const struct ip_ct_gre_keymap *km,
2508 - const struct ip_conntrack_tuple *t)
2510 - return ((km->tuple.src.ip == t->src.ip) &&
2511 - (km->tuple.dst.ip == t->dst.ip) &&
2512 - (km->tuple.dst.protonum == t->dst.protonum) &&
2513 - (km->tuple.dst.u.all == t->dst.u.all));
2516 -/* look up the source key for a given tuple */
2517 -static u_int32_t gre_keymap_lookup(struct ip_conntrack_tuple *t)
2519 - struct ip_ct_gre_keymap *km;
2522 - READ_LOCK(&ip_ct_gre_lock);
2523 - km = LIST_FIND(&gre_keymap_list, gre_key_cmpfn,
2524 - struct ip_ct_gre_keymap *, t);
2526 - READ_UNLOCK(&ip_ct_gre_lock);
2530 - key = km->tuple.src.u.gre.key;
2531 - READ_UNLOCK(&ip_ct_gre_lock);
2536 -/* add a single keymap entry, associate with specified expect */
2537 -int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
2538 - struct ip_conntrack_tuple *t, int reply)
2540 - struct ip_ct_gre_keymap *km;
2542 - km = kmalloc(sizeof(*km), GFP_ATOMIC);
2546 - /* initializing list head should be sufficient */
2547 - memset(km, 0, sizeof(*km));
2549 - memcpy(&km->tuple, t, sizeof(*t));
2553 - exp->proto.gre.keymap_orig = km;
2555 - exp->proto.gre.keymap_reply = km;
2557 - DEBUGP("adding new entry %p: ", km);
2558 - DUMP_TUPLE_GRE(&km->tuple);
2560 - WRITE_LOCK(&ip_ct_gre_lock);
2561 - list_append(&gre_keymap_list, km);
2562 - WRITE_UNLOCK(&ip_ct_gre_lock);
2567 -/* change the tuple of a keymap entry (used by nat helper) */
2568 -void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km,
2569 - struct ip_conntrack_tuple *t)
2571 - DEBUGP("changing entry %p to: ", km);
2572 - DUMP_TUPLE_GRE(t);
2574 - WRITE_LOCK(&ip_ct_gre_lock);
2575 - memcpy(&km->tuple, t, sizeof(km->tuple));
2576 - WRITE_UNLOCK(&ip_ct_gre_lock);
2580 -/* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */
2582 -/* invert gre part of tuple */
2583 -static int gre_invert_tuple(struct ip_conntrack_tuple *tuple,
2584 - const struct ip_conntrack_tuple *orig)
2586 - tuple->dst.u.gre.protocol = orig->dst.u.gre.protocol;
2587 - tuple->dst.u.gre.version = orig->dst.u.gre.version;
2589 - tuple->dst.u.gre.key = orig->src.u.gre.key;
2590 - tuple->src.u.gre.key = orig->dst.u.gre.key;
2595 -/* gre hdr info to tuple */
2596 -static int gre_pkt_to_tuple(const void *datah, size_t datalen,
2597 - struct ip_conntrack_tuple *tuple)
2599 - struct gre_hdr *grehdr = (struct gre_hdr *) datah;
2600 - struct gre_hdr_pptp *pgrehdr = (struct gre_hdr_pptp *) datah;
2603 - /* core guarantees 8 protocol bytes, no need for size check */
2605 - tuple->dst.u.gre.version = grehdr->version;
2606 - tuple->dst.u.gre.protocol = grehdr->protocol;
2608 - switch (grehdr->version) {
2609 - case GRE_VERSION_1701:
2610 - if (!grehdr->key) {
2611 - DEBUGP("Can't track GRE without key\n");
2614 - tuple->dst.u.gre.key = *(gre_key(grehdr));
2617 - case GRE_VERSION_PPTP:
2618 - if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) {
2619 - DEBUGP("GRE_VERSION_PPTP but unknown proto\n");
2622 - tuple->dst.u.gre.key = htonl(ntohs(pgrehdr->call_id));
2626 - printk(KERN_WARNING "unknown GRE version %hu\n",
2627 - tuple->dst.u.gre.version);
2631 - srckey = gre_keymap_lookup(tuple);
2633 - tuple->src.u.gre.key = srckey;
2638 -/* print gre part of tuple */
2639 -static unsigned int gre_print_tuple(char *buffer,
2640 - const struct ip_conntrack_tuple *tuple)
2642 - return sprintf(buffer, "version=%d protocol=0x%04x srckey=0x%x dstkey=0x%x ",
2643 - tuple->dst.u.gre.version,
2644 - ntohs(tuple->dst.u.gre.protocol),
2645 - ntohl(tuple->src.u.gre.key),
2646 - ntohl(tuple->dst.u.gre.key));
2649 -/* print private data for conntrack */
2650 -static unsigned int gre_print_conntrack(char *buffer,
2651 - const struct ip_conntrack *ct)
2653 - return sprintf(buffer, "timeout=%u, stream_timeout=%u ",
2654 - (ct->proto.gre.timeout / HZ),
2655 - (ct->proto.gre.stream_timeout / HZ));
2658 -/* Returns verdict for packet, and may modify conntrack */
2659 -static int gre_packet(struct ip_conntrack *ct,
2660 - struct iphdr *iph, size_t len,
2661 - enum ip_conntrack_info conntrackinfo)
2663 - /* If we've seen traffic both ways, this is a GRE connection.
2664 - * Extend timeout. */
2665 - if (ct->status & IPS_SEEN_REPLY) {
2666 - ip_ct_refresh(ct, ct->proto.gre.stream_timeout);
2667 - /* Also, more likely to be important, and not a probe. */
2668 - set_bit(IPS_ASSURED_BIT, &ct->status);
2670 - ip_ct_refresh(ct, ct->proto.gre.timeout);
2675 -/* Called when a new connection for this protocol found. */
2676 -static int gre_new(struct ip_conntrack *ct,
2677 - struct iphdr *iph, size_t len)
2680 - DUMP_TUPLE_GRE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
2682 - /* initialize to sane value. Ideally a conntrack helper
2683 - * (e.g. in case of pptp) is increasing them */
2684 - ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT;
2685 - ct->proto.gre.timeout = GRE_TIMEOUT;
2690 -/* Called when a conntrack entry has already been removed from the hashes
2691 - * and is about to be deleted from memory */
2692 -static void gre_destroy(struct ip_conntrack *ct)
2694 - struct ip_conntrack_expect *master = ct->master;
2696 - DEBUGP(" entering\n");
2699 - DEBUGP("no master exp for ct %p\n", ct);
2703 - WRITE_LOCK(&ip_ct_gre_lock);
2704 - if (master->proto.gre.keymap_orig) {
2705 - DEBUGP("removing %p from list\n", master->proto.gre.keymap_orig);
2706 - list_del(&master->proto.gre.keymap_orig->list);
2707 - kfree(master->proto.gre.keymap_orig);
2709 - if (master->proto.gre.keymap_reply) {
2710 - DEBUGP("removing %p from list\n", master->proto.gre.keymap_reply);
2711 - list_del(&master->proto.gre.keymap_reply->list);
2712 - kfree(master->proto.gre.keymap_reply);
2714 - WRITE_UNLOCK(&ip_ct_gre_lock);
2717 -/* protocol helper struct */
2718 -static struct ip_conntrack_protocol gre = { { NULL, NULL }, IPPROTO_GRE,
2723 - gre_print_conntrack,
2730 -/* ip_conntrack_proto_gre initialization */
2731 -static int __init init(void)
2735 - if ((retcode = ip_conntrack_protocol_register(&gre))) {
2736 - printk(KERN_ERR "Unable to register conntrack protocol "
2737 - "helper for gre: %d\n", retcode);
2744 -static void __exit fini(void)
2746 - struct list_head *pos, *n;
2748 - /* delete all keymap entries */
2749 - WRITE_LOCK(&ip_ct_gre_lock);
2750 - list_for_each_safe(pos, n, &gre_keymap_list) {
2751 - DEBUGP("deleting keymap %p\n", pos);
2755 - WRITE_UNLOCK(&ip_ct_gre_lock);
2757 - ip_conntrack_protocol_unregister(&gre);
2760 -EXPORT_SYMBOL(ip_ct_gre_keymap_add);
2761 -EXPORT_SYMBOL(ip_ct_gre_keymap_change);
2765 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux.stock/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
2766 --- linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2003-08-12 07:33:45.000000000 -0400
2767 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2004-05-09 04:13:03.000000000 -0400
2769 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
2770 #include <linux/netfilter_ipv4/lockhelp.h>
2773 +#define DEBUGP printk
2775 #define DEBUGP(format, args...)
2778 /* Protects conntrack->proto.tcp */
2779 static DECLARE_RWLOCK(tcp_lock);
2781 +/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
2782 + closely. They're more complex. --RR */
2784 /* Actually, I believe that neither ipmasq (where this code is stolen
2785 from) nor ipfilter do it exactly right. A new conntrack machine taking
2791 +#define MINS * 60 SECS
2792 +#define HOURS * 60 MINS
2793 +#define DAYS * 24 HOURS
2796 +static unsigned long tcp_timeouts[]
2797 += { 30 MINS, /* TCP_CONNTRACK_NONE, */
2798 + 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
2799 + 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
2800 + 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
2801 + 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
2802 + 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
2803 + 10 SECS, /* TCP_CONNTRACK_CLOSE, */
2804 + 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
2805 + 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
2806 + 2 MINS, /* TCP_CONNTRACK_LISTEN, */
2809 #define sNO TCP_CONNTRACK_NONE
2810 #define sES TCP_CONNTRACK_ESTABLISHED
2811 #define sSS TCP_CONNTRACK_SYN_SENT
2812 @@ -161,13 +186,13 @@
2813 && tcph->syn && tcph->ack)
2814 conntrack->proto.tcp.handshake_ack
2815 = htonl(ntohl(tcph->seq) + 1);
2816 + WRITE_UNLOCK(&tcp_lock);
2818 /* If only reply is a RST, we can consider ourselves not to
2819 have an established connection: this is a fairly common
2820 problem case, so we can delete the conntrack
2821 immediately. --RR */
2822 if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) {
2823 - WRITE_UNLOCK(&tcp_lock);
2824 if (del_timer(&conntrack->timeout))
2825 conntrack->timeout.function((unsigned long)conntrack);
2828 && tcph->ack_seq == conntrack->proto.tcp.handshake_ack)
2829 set_bit(IPS_ASSURED_BIT, &conntrack->status);
2831 - WRITE_UNLOCK(&tcp_lock);
2832 - ip_ct_refresh(conntrack,
2833 - sysctl_ip_conntrack_tcp_timeouts[newconntrack]);
2834 + ip_ct_refresh(conntrack, tcp_timeouts[newconntrack]);
2838 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c linux.stock/net/ipv4/netfilter/ip_conntrack_proto_udp.c
2839 --- linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2003-08-12 07:33:45.000000000 -0400
2840 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2004-05-09 04:13:03.000000000 -0400
2842 #include <linux/in.h>
2843 #include <linux/udp.h>
2844 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
2845 -#include <linux/netfilter_ipv4/ip_conntrack_udp.h>
2847 +#define UDP_TIMEOUT (30*HZ)
2848 +#define UDP_STREAM_TIMEOUT (180*HZ)
2850 static int udp_pkt_to_tuple(const void *datah, size_t datalen,
2851 struct ip_conntrack_tuple *tuple)
2853 /* If we've seen traffic both ways, this is some kind of UDP
2854 stream. Extend timeout. */
2855 if (conntrack->status & IPS_SEEN_REPLY) {
2856 - ip_ct_refresh(conntrack,
2857 - sysctl_ip_conntrack_udp_timeouts[UDP_STREAM_TIMEOUT]);
2858 + ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT);
2859 /* Also, more likely to be important, and not a probe */
2860 set_bit(IPS_ASSURED_BIT, &conntrack->status);
2862 - ip_ct_refresh(conntrack,
2863 - sysctl_ip_conntrack_udp_timeouts[UDP_TIMEOUT]);
2864 + ip_ct_refresh(conntrack, UDP_TIMEOUT);
2868 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_standalone.c linux.stock/net/ipv4/netfilter/ip_conntrack_standalone.c
2869 --- linux/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-08-12 07:33:45.000000000 -0400
2870 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-05-09 04:13:03.000000000 -0400
2872 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
2873 #include <linux/netfilter_ipv4/listhelp.h>
2876 +#define DEBUGP printk
2878 #define DEBUGP(format, args...)
2881 struct module *ip_conntrack_module = THIS_MODULE;
2882 MODULE_LICENSE("GPL");
2887 +/* FIXME: Don't print source proto part. --RR */
2889 print_expect(char *buffer, const struct ip_conntrack_expect *expect)
2893 - if (!expect || !expect->expectant || !expect->expectant->helper) {
2894 - DEBUGP("expect %x expect->expectant %x expect->expectant->helper %x\n",
2895 - expect, expect->expectant, expect->expectant->helper);
2899 if (expect->expectant->helper->timeout)
2900 len = sprintf(buffer, "EXPECTING: %lu ",
2901 timer_pending(&expect->timeout)
2906 +/* FIXME: Allow NULL functions and sub in pointers to generic for
2908 int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
2912 EXPORT_SYMBOL(ip_ct_find_proto);
2913 EXPORT_SYMBOL(__ip_ct_find_proto);
2914 EXPORT_SYMBOL(ip_ct_find_helper);
2915 -EXPORT_SYMBOL(sysctl_ip_conntrack_tcp_timeouts);
2916 -EXPORT_SYMBOL(sysctl_ip_conntrack_udp_timeouts);
2917 EXPORT_SYMBOL(ip_conntrack_expect_related);
2918 EXPORT_SYMBOL(ip_conntrack_change_expect);
2919 EXPORT_SYMBOL(ip_conntrack_unexpect_related);
2920 diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_tftp.c linux.stock/net/ipv4/netfilter/ip_conntrack_tftp.c
2921 --- linux/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-07-04 04:12:31.000000000 -0400
2922 +++ linux.stock/net/ipv4/netfilter/ip_conntrack_tftp.c 1969-12-31 19:00:00.000000000 -0500
2925 - * Licensed under GNU GPL version 2 Copyright Magnus Boden <mb@ozaba.mine.nu>
2928 - * Thu 21 Mar 2002 Harald Welte <laforge@gnumonks.org>
2929 - * - port to newnat API
2933 -#include <linux/module.h>
2934 -#include <linux/ip.h>
2935 -#include <linux/udp.h>
2937 -#include <linux/netfilter.h>
2938 -#include <linux/netfilter_ipv4/ip_tables.h>
2939 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
2940 -#include <linux/netfilter_ipv4/ip_conntrack_tftp.h>
2942 -MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>");
2943 -MODULE_DESCRIPTION("Netfilter connection tracking module for tftp");
2944 -MODULE_LICENSE("GPL");
2946 -#define MAX_PORTS 8
2947 -static int ports[MAX_PORTS];
2948 -static int ports_c = 0;
2950 -MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
2951 -MODULE_PARM_DESC(ports, "port numbers of tftp servers");
2954 -#define DEBUGP(format, args...)
2956 -static int tftp_help(const struct iphdr *iph, size_t len,
2957 - struct ip_conntrack *ct,
2958 - enum ip_conntrack_info ctinfo)
2960 - struct udphdr *udph = (void *)iph + iph->ihl * 4;
2961 - struct tftphdr *tftph = (void *)udph + 8;
2962 - struct ip_conntrack_expect exp;
2964 - switch (ntohs(tftph->opcode)) {
2965 - /* RRQ and WRQ works the same way */
2966 - case TFTP_OPCODE_READ:
2967 - case TFTP_OPCODE_WRITE:
2969 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
2970 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
2971 - memset(&exp, 0, sizeof(exp));
2973 - exp.tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
2974 - exp.mask.src.ip = 0xffffffff;
2975 - exp.mask.dst.ip = 0xffffffff;
2976 - exp.mask.dst.u.udp.port = 0xffff;
2977 - exp.mask.dst.protonum = 0xffff;
2978 - exp.expectfn = NULL;
2980 - DEBUGP("expect: ");
2981 - DUMP_TUPLE(&exp.tuple);
2982 - DUMP_TUPLE(&exp.mask);
2983 - ip_conntrack_expect_related(ct, &exp);
2986 - DEBUGP("Unknown opcode\n");
2991 -static struct ip_conntrack_helper tftp[MAX_PORTS];
2992 -static char tftp_names[MAX_PORTS][10];
2994 -static void fini(void)
2998 - for (i = 0 ; i < ports_c; i++) {
2999 - DEBUGP("unregistering helper for port %d\n",
3001 - ip_conntrack_helper_unregister(&tftp[i]);
3005 -static int __init init(void)
3011 - ports[0]=TFTP_PORT;
3013 - for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
3014 - /* Create helper structure */
3015 - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
3017 - tftp[i].tuple.dst.protonum = IPPROTO_UDP;
3018 - tftp[i].tuple.src.u.udp.port = htons(ports[i]);
3019 - tftp[i].mask.dst.protonum = 0xFFFF;
3020 - tftp[i].mask.src.u.udp.port = 0xFFFF;
3021 - tftp[i].max_expected = 1;
3022 - tftp[i].timeout = 0;
3023 - tftp[i].flags = IP_CT_HELPER_F_REUSE_EXPECT;
3024 - tftp[i].me = THIS_MODULE;
3025 - tftp[i].help = tftp_help;
3027 - tmpname = &tftp_names[i][0];
3028 - if (ports[i] == TFTP_PORT)
3029 - sprintf(tmpname, "tftp");
3031 - sprintf(tmpname, "tftp-%d", i);
3032 - tftp[i].name = tmpname;
3034 - DEBUGP("port #%d: %d\n", i, ports[i]);
3036 - ret=ip_conntrack_helper_register(&tftp[i]);
3038 - printk("ERROR registering helper for port %d\n",
3050 diff -Nurb linux/net/ipv4/netfilter/ip_nat_core.c linux.stock/net/ipv4/netfilter/ip_nat_core.c
3051 --- linux/net/ipv4/netfilter/ip_nat_core.c 2003-07-04 04:12:31.000000000 -0400
3052 +++ linux.stock/net/ipv4/netfilter/ip_nat_core.c 2004-05-09 04:13:03.000000000 -0400
3054 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
3055 #include <linux/netfilter_ipv4/listhelp.h>
3058 +#define DEBUGP printk
3060 #define DEBUGP(format, args...)
3063 DECLARE_RWLOCK(ip_nat_lock);
3064 DECLARE_RWLOCK_EXTERN(ip_conntrack_lock);
3069 + /* FIXME: IPTOS_TOS(iph->tos) --RR */
3070 if (ip_route_output(&rt, var_ip, 0, 0, 0) != 0) {
3071 DEBUGP("do_extra_mangle: Can't get route to %u.%u.%u.%u\n",
3074 *tuple = *orig_tuple;
3075 while ((rptr = find_best_ips_proto_fast(tuple, mr, conntrack, hooknum))
3077 - DEBUGP("Found best for "); DUMP_TUPLE_RAW(tuple);
3078 + DEBUGP("Found best for "); DUMP_TUPLE(tuple);
3079 /* 3) The per-protocol part of the manip is made to
3080 map into the range to make a unique tuple. */
3082 @@ -529,6 +534,31 @@
3083 invert_tuplepr(&orig_tp,
3084 &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple);
3090 + DEBUGP("Hook %u (%s), ", hooknum,
3091 + HOOK2MANIP(hooknum)==IP_NAT_MANIP_SRC ? "SRC" : "DST");
3092 + DUMP_TUPLE(&orig_tp);
3093 + DEBUGP("Range %p: ", mr);
3094 + for (i = 0; i < mr->rangesize; i++) {
3095 + DEBUGP("%u:%s%s%s %u.%u.%u.%u - %u.%u.%u.%u %u - %u\n",
3097 + (mr->range[i].flags & IP_NAT_RANGE_MAP_IPS)
3098 + ? " MAP_IPS" : "",
3099 + (mr->range[i].flags
3100 + & IP_NAT_RANGE_PROTO_SPECIFIED)
3101 + ? " PROTO_SPECIFIED" : "",
3102 + (mr->range[i].flags & IP_NAT_RANGE_FULL)
3104 + NIPQUAD(mr->range[i].min_ip),
3105 + NIPQUAD(mr->range[i].max_ip),
3106 + mr->range[i].min.all,
3107 + mr->range[i].max.all);
3113 if (!get_unique_tuple(&new_tuple, &orig_tp, mr, conntrack,
3114 @@ -538,6 +568,15 @@
3119 + DEBUGP("Hook %u (%s) %p\n", hooknum,
3120 + HOOK2MANIP(hooknum)==IP_NAT_MANIP_SRC ? "SRC" : "DST",
3122 + DEBUGP("Original: ");
3123 + DUMP_TUPLE(&orig_tp);
3125 + DUMP_TUPLE(&new_tuple);
3128 /* We now have two tuples (SRCIP/SRCPT/DSTIP/DSTPT):
3129 the original (A/B/C/D') and the mangled one (E/F/G/H').
3131 If fail this race (reply tuple now used), repeat. */
3132 } while (!ip_conntrack_alter_reply(conntrack, &reply));
3134 + /* FIXME: We can simply used existing conntrack reply tuple
3136 /* Create inverse of original: C/D/A/B' */
3137 invert_tuplepr(&inv_tuple, &orig_tp);
3139 @@ -678,6 +719,17 @@
3141 iph->daddr = manip->ip;
3144 + if (ip_fast_csum((u8 *)iph, iph->ihl) != 0)
3145 + DEBUGP("IP: checksum on packet bad.\n");
3147 + if (proto == IPPROTO_TCP) {
3148 + void *th = (u_int32_t *)iph + iph->ihl;
3149 + if (tcp_v4_check(th, len - 4*iph->ihl, iph->saddr, iph->daddr,
3150 + csum_partial((char *)th, len-4*iph->ihl, 0)))
3151 + DEBUGP("TCP: checksum on packet bad\n");
3156 static inline int exp_for_packet(struct ip_conntrack_expect *exp,
3160 if (exp_for_packet(exp, pskb)) {
3161 + /* FIXME: May be true multiple times in the case of UDP!! */
3162 DEBUGP("calling nat helper (exp=%p) for packet\n",
3164 ret = helper->help(ct, exp, info, ctinfo,
3166 INIT_LIST_HEAD(&byipsproto[i]);
3169 + /* FIXME: Man, this is a hack. <SIGH> */
3170 IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
3171 ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
3173 diff -Nurb linux/net/ipv4/netfilter/ip_nat_h323.c linux.stock/net/ipv4/netfilter/ip_nat_h323.c
3174 --- linux/net/ipv4/netfilter/ip_nat_h323.c 2003-07-04 04:12:31.000000000 -0400
3175 +++ linux.stock/net/ipv4/netfilter/ip_nat_h323.c 1969-12-31 19:00:00.000000000 -0500
3178 - * H.323 'brute force' extension for NAT alteration.
3179 - * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
3181 - * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project.
3182 - * (http://www.coritel.it/projects/sofia/nat.html)
3183 - * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind'
3184 - * the unregistered helpers to the conntrack entries.
3188 -#include <linux/module.h>
3189 -#include <linux/netfilter.h>
3190 -#include <linux/ip.h>
3191 -#include <net/checksum.h>
3192 -#include <net/tcp.h>
3194 -#include <linux/netfilter_ipv4/lockhelp.h>
3195 -#include <linux/netfilter_ipv4/ip_nat.h>
3196 -#include <linux/netfilter_ipv4/ip_nat_helper.h>
3197 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
3198 -#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
3199 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
3200 -#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
3202 -MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
3203 -MODULE_DESCRIPTION("H.323 'brute force' connection tracking module");
3204 -MODULE_LICENSE("GPL");
3206 -DECLARE_LOCK_EXTERN(ip_h323_lock);
3207 -struct module *ip_nat_h323 = THIS_MODULE;
3209 -#define DEBUGP(format, args...)
3212 -static unsigned int
3213 -h225_nat_expected(struct sk_buff **pskb,
3214 - unsigned int hooknum,
3215 - struct ip_conntrack *ct,
3216 - struct ip_nat_info *info);
3218 -static unsigned int h225_nat_help(struct ip_conntrack *ct,
3219 - struct ip_conntrack_expect *exp,
3220 - struct ip_nat_info *info,
3221 - enum ip_conntrack_info ctinfo,
3222 - unsigned int hooknum,
3223 - struct sk_buff **pskb);
3225 -static struct ip_nat_helper h245 =
3227 - "H.245", /* name */
3229 - NULL, /* module */
3230 - { { 0, { 0 } }, /* tuple */
3231 - { 0, { 0 }, IPPROTO_TCP } },
3232 - { { 0, { 0xFFFF } }, /* mask */
3233 - { 0, { 0 }, 0xFFFF } },
3234 - h225_nat_help, /* helper */
3235 - h225_nat_expected /* expectfn */
3238 -static unsigned int
3239 -h225_nat_expected(struct sk_buff **pskb,
3240 - unsigned int hooknum,
3241 - struct ip_conntrack *ct,
3242 - struct ip_nat_info *info)
3244 - struct ip_nat_multi_range mr;
3245 - u_int32_t newdstip, newsrcip, newip;
3247 - struct ip_ct_h225_expect *exp_info;
3248 - struct ip_ct_h225_master *master_info;
3249 - struct ip_conntrack *master = master_ct(ct);
3250 - unsigned int is_h225, ret;
3252 - IP_NF_ASSERT(info);
3253 - IP_NF_ASSERT(master);
3255 - IP_NF_ASSERT(!(info->initialized & (1<<HOOK2MANIP(hooknum))));
3257 - DEBUGP("h225_nat_expected: We have a connection!\n");
3258 - master_info = &ct->master->expectant->help.ct_h225_info;
3259 - exp_info = &ct->master->help.exp_h225_info;
3261 - LOCK_BH(&ip_h323_lock);
3263 - DEBUGP("master: ");
3264 - DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
3265 - DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_REPLY].tuple);
3266 - DEBUGP("conntrack: ");
3267 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
3268 - if (exp_info->dir == IP_CT_DIR_ORIGINAL) {
3269 - /* Make connection go to the client. */
3270 - newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
3271 - newsrcip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
3272 - DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to client)\n",
3273 - NIPQUAD(newsrcip), NIPQUAD(newdstip));
3275 - /* Make the connection go to the server */
3276 - newdstip = master->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip;
3277 - newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
3278 - DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to server)\n",
3279 - NIPQUAD(newsrcip), NIPQUAD(newdstip));
3281 - port = exp_info->port;
3282 - is_h225 = master_info->is_h225 == H225_PORT;
3283 - UNLOCK_BH(&ip_h323_lock);
3285 - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC)
3290 - DEBUGP("h225_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip));
3293 - /* We don't want to manip the per-protocol, just the IPs... */
3294 - mr.range[0].flags = IP_NAT_RANGE_MAP_IPS;
3295 - mr.range[0].min_ip = mr.range[0].max_ip = newip;
3297 - /* ... unless we're doing a MANIP_DST, in which case, make
3298 - sure we map to the correct port */
3299 - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) {
3300 - mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
3301 - mr.range[0].min = mr.range[0].max
3302 - = ((union ip_conntrack_manip_proto)
3306 - ret = ip_nat_setup_info(ct, &mr, hooknum);
3309 - DEBUGP("h225_nat_expected: H.225, setting NAT helper for %p\n", ct);
3310 - /* NAT expectfn called with ip_nat_lock write-locked */
3311 - info->helper = &h245;
3316 -static int h323_signal_address_fixup(struct ip_conntrack *ct,
3317 - struct sk_buff **pskb,
3318 - enum ip_conntrack_info ctinfo)
3320 - struct iphdr *iph = (*pskb)->nh.iph;
3321 - struct tcphdr *tcph = (void *)iph + iph->ihl*4;
3322 - unsigned char *data;
3323 - u_int32_t tcplen = (*pskb)->len - iph->ihl*4;
3324 - u_int32_t datalen = tcplen - tcph->doff*4;
3325 - struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
3328 - u_int8_t buffer[6];
3331 - MUST_BE_LOCKED(&ip_h323_lock);
3333 - DEBUGP("h323_signal_address_fixup: %s %s\n",
3334 - between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)
3336 - between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)
3338 - if (!(between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)
3339 - || between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen)))
3342 - DEBUGP("h323_signal_address_fixup: offsets %u + 6 and %u + 6 in %u\n",
3343 - info->offset[IP_CT_DIR_ORIGINAL],
3344 - info->offset[IP_CT_DIR_REPLY],
3346 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
3347 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
3349 - for (i = 0; i < IP_CT_DIR_MAX; i++) {
3350 - DEBUGP("h323_signal_address_fixup: %s %s\n",
3351 - info->dir == IP_CT_DIR_ORIGINAL ? "original" : "reply",
3352 - i == IP_CT_DIR_ORIGINAL ? "caller" : "callee");
3353 - if (!between(info->seq[i], ntohl(tcph->seq),
3354 - ntohl(tcph->seq) + datalen))
3356 - if (!between(info->seq[i] + 6, ntohl(tcph->seq),
3357 - ntohl(tcph->seq) + datalen)) {
3358 - /* Partial retransmisison. It's a cracker being funky. */
3359 - if (net_ratelimit()) {
3360 - printk("H.323_NAT: partial packet %u/6 in %u/%u\n",
3363 - ntohl(tcph->seq) + datalen);
3368 - /* Change address inside packet to match way we're mapping
3369 - this connection. */
3370 - if (i == IP_CT_DIR_ORIGINAL) {
3371 - newip = ct->tuplehash[!info->dir].tuple.dst.ip;
3372 - port = ct->tuplehash[!info->dir].tuple.dst.u.tcp.port;
3374 - newip = ct->tuplehash[!info->dir].tuple.src.ip;
3375 - port = ct->tuplehash[!info->dir].tuple.src.u.tcp.port;
3378 - data = (char *) tcph + tcph->doff * 4 + info->offset[i];
3380 - DEBUGP("h323_signal_address_fixup: orig %s IP:port %u.%u.%u.%u:%u\n",
3381 - i == IP_CT_DIR_ORIGINAL ? "source" : "dest ",
3382 - data[0], data[1], data[2], data[3],
3383 - (data[4] << 8 | data[5]));
3385 - /* Modify the packet */
3386 - memcpy(buffer, &newip, 4);
3387 - memcpy(buffer + 4, &port, 2);
3388 - if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, info->offset[i],
3392 - DEBUGP("h323_signal_address_fixup: new %s IP:port %u.%u.%u.%u:%u\n",
3393 - i == IP_CT_DIR_ORIGINAL ? "source" : "dest ",
3394 - data[0], data[1], data[2], data[3],
3395 - (data[4] << 8 | data[5]));
3401 -static int h323_data_fixup(struct ip_ct_h225_expect *info,
3402 - struct ip_conntrack *ct,
3403 - struct sk_buff **pskb,
3404 - enum ip_conntrack_info ctinfo,
3405 - struct ip_conntrack_expect *expect)
3409 - u_int8_t buffer[6];
3410 - struct ip_conntrack_tuple newtuple;
3411 - struct iphdr *iph = (*pskb)->nh.iph;
3412 - struct tcphdr *tcph = (void *)iph + iph->ihl*4;
3413 - unsigned char *data;
3414 - u_int32_t tcplen = (*pskb)->len - iph->ihl*4;
3415 - struct ip_ct_h225_master *master_info = &ct->help.ct_h225_info;
3418 - MUST_BE_LOCKED(&ip_h323_lock);
3419 - DEBUGP("h323_data_fixup: offset %u + 6 in %u\n", info->offset, tcplen);
3420 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
3421 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
3423 - if (!between(expect->seq + 6, ntohl(tcph->seq),
3424 - ntohl(tcph->seq) + tcplen - tcph->doff * 4)) {
3425 - /* Partial retransmisison. It's a cracker being funky. */
3426 - if (net_ratelimit()) {
3427 - printk("H.323_NAT: partial packet %u/6 in %u/%u\n",
3430 - ntohl(tcph->seq) + tcplen - tcph->doff * 4);
3435 - /* Change address inside packet to match way we're mapping
3436 - this connection. */
3437 - if (info->dir == IP_CT_DIR_REPLY) {
3438 - /* Must be where client thinks server is */
3439 - newip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
3440 - /* Expect something from client->server */
3441 - newtuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
3442 - newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
3444 - /* Must be where server thinks client is */
3445 - newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
3446 - /* Expect something from server->client */
3447 - newtuple.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip;
3448 - newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
3451 - is_h225 = (master_info->is_h225 == H225_PORT);
3454 - newtuple.dst.protonum = IPPROTO_TCP;
3455 - newtuple.src.u.tcp.port = expect->tuple.src.u.tcp.port;
3457 - newtuple.dst.protonum = IPPROTO_UDP;
3458 - newtuple.src.u.udp.port = expect->tuple.src.u.udp.port;
3461 - /* Try to get same port: if not, try to change it. */
3462 - for (port = ntohs(info->port); port != 0; port++) {
3464 - newtuple.dst.u.tcp.port = htons(port);
3466 - newtuple.dst.u.udp.port = htons(port);
3468 - if (ip_conntrack_change_expect(expect, &newtuple) == 0)
3472 - DEBUGP("h323_data_fixup: no free port found!\n");
3476 - port = htons(port);
3478 - data = (char *) tcph + tcph->doff * 4 + info->offset;
3480 - DEBUGP("h323_data_fixup: orig IP:port %u.%u.%u.%u:%u\n",
3481 - data[0], data[1], data[2], data[3],
3482 - (data[4] << 8 | data[5]));
3484 - /* Modify the packet */
3485 - memcpy(buffer, &newip, 4);
3486 - memcpy(buffer + 4, &port, 2);
3487 - if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, info->offset,
3491 - DEBUGP("h323_data_fixup: new IP:port %u.%u.%u.%u:%u\n",
3492 - data[0], data[1], data[2], data[3],
3493 - (data[4] << 8 | data[5]));
3498 -static unsigned int h225_nat_help(struct ip_conntrack *ct,
3499 - struct ip_conntrack_expect *exp,
3500 - struct ip_nat_info *info,
3501 - enum ip_conntrack_info ctinfo,
3502 - unsigned int hooknum,
3503 - struct sk_buff **pskb)
3506 - struct ip_ct_h225_expect *exp_info;
3508 - /* Only mangle things once: original direction in POST_ROUTING
3509 - and reply direction on PRE_ROUTING. */
3510 - dir = CTINFO2DIR(ctinfo);
3511 - DEBUGP("nat_h323: dir %s at hook %s\n",
3512 - dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
3513 - hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
3514 - : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
3515 - : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
3516 - if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
3517 - || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
3518 - DEBUGP("nat_h323: Not touching dir %s at hook %s\n",
3519 - dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
3520 - hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
3521 - : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
3522 - : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
3527 - LOCK_BH(&ip_h323_lock);
3528 - if (!h323_signal_address_fixup(ct, pskb, ctinfo)) {
3529 - UNLOCK_BH(&ip_h323_lock);
3532 - UNLOCK_BH(&ip_h323_lock);
3536 - exp_info = &exp->help.exp_h225_info;
3538 - LOCK_BH(&ip_h323_lock);
3539 - if (!h323_data_fixup(exp_info, ct, pskb, ctinfo, exp)) {
3540 - UNLOCK_BH(&ip_h323_lock);
3543 - UNLOCK_BH(&ip_h323_lock);
3548 -static struct ip_nat_helper h225 =
3550 - "H.225", /* name */
3551 - IP_NAT_HELPER_F_ALWAYS, /* flags */
3552 - THIS_MODULE, /* module */
3553 - { { 0, { __constant_htons(H225_PORT) } }, /* tuple */
3554 - { 0, { 0 }, IPPROTO_TCP } },
3555 - { { 0, { 0xFFFF } }, /* mask */
3556 - { 0, { 0 }, 0xFFFF } },
3557 - h225_nat_help, /* helper */
3558 - h225_nat_expected /* expectfn */
3561 -static int __init init(void)
3565 - ret = ip_nat_helper_register(&h225);
3568 - printk("ip_nat_h323: cannot initialize the module!\n");
3573 -static void __exit fini(void)
3575 - ip_nat_helper_unregister(&h225);
3580 diff -Nurb linux/net/ipv4/netfilter/ip_nat_helper.c linux.stock/net/ipv4/netfilter/ip_nat_helper.c
3581 --- linux/net/ipv4/netfilter/ip_nat_helper.c 2003-07-04 04:12:31.000000000 -0400
3582 +++ linux.stock/net/ipv4/netfilter/ip_nat_helper.c 2004-05-09 04:13:03.000000000 -0400
3584 * - add support for SACK adjustment
3585 * 14 Mar 2002 Harald Welte <laforge@gnumonks.org>:
3586 * - merge SACK support into newnat API
3587 - * 16 Aug 2002 Brian J. Murrell <netfilter@interlinx.bc.ca>:
3588 - * - make ip_nat_resize_packet more generic (TCP and UDP)
3589 - * - add ip_nat_mangle_udp_packet
3591 #include <linux/version.h>
3592 #include <linux/config.h>
3594 #include <net/icmp.h>
3596 #include <net/tcp.h>
3597 -#include <net/udp.h>
3599 #define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_nat_lock)
3600 #define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_nat_lock)
3602 #include <linux/netfilter_ipv4/ip_nat_helper.h>
3603 #include <linux/netfilter_ipv4/listhelp.h>
3606 +#define DEBUGP printk
3607 +#define DUMP_OFFSET(x) printk("offset_before=%d, offset_after=%d, correction_pos=%u\n", x->offset_before, x->offset_after, x->correction_pos);
3609 #define DEBUGP(format, args...)
3610 #define DUMP_OFFSET(x)
3613 DECLARE_LOCK(ip_nat_seqofs_lock);
3619 + struct tcphdr *tcph;
3622 struct ip_nat_seq *this_way, *other_way;
3624 DEBUGP("ip_nat_resize_packet: old_size = %u, new_size = %u\n",
3625 (*skb)->len, new_size);
3627 + iph = (*skb)->nh.iph;
3628 + tcph = (void *)iph + iph->ihl*4;
3629 + data = (void *)tcph + tcph->doff*4;
3631 dir = CTINFO2DIR(ctinfo);
3633 this_way = &ct->nat.info.seq[dir];
3637 iph = (*skb)->nh.iph;
3638 - if (iph->protocol == IPPROTO_TCP) {
3639 - struct tcphdr *tcph = (void *)iph + iph->ihl*4;
3640 - void *data = (void *)tcph + tcph->doff*4;
3641 + tcph = (void *)iph + iph->ihl*4;
3642 + data = (void *)tcph + tcph->doff*4;
3644 DEBUGP("ip_nat_resize_packet: Seq_offset before: ");
3645 DUMP_OFFSET(this_way);
3646 @@ -95,20 +101,25 @@
3647 this_way->correction_pos = ntohl(tcph->seq);
3648 this_way->offset_before = this_way->offset_after;
3649 this_way->offset_after = (int32_t)
3650 - this_way->offset_before + new_size -
3652 + this_way->offset_before + new_size - (*skb)->len;
3655 UNLOCK_BH(&ip_nat_seqofs_lock);
3657 DEBUGP("ip_nat_resize_packet: Seq_offset after: ");
3658 DUMP_OFFSET(this_way);
3665 +/* Generic function for mangling variable-length address changes inside
3666 + * NATed connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX command in FTP).
3668 + * Takes care about all the nasty sequence number changes, checksumming,
3669 + * skb enlargement, ...
3673 ip_nat_mangle_tcp_packet(struct sk_buff **skb,
3674 struct ip_conntrack *ct,
3676 tcph = (void *)iph + iph->ihl*4;
3677 data = (void *)tcph + tcph->doff*4;
3679 - if (rep_len != match_len)
3680 /* move post-replacement */
3681 memmove(data + match_offset + rep_len,
3682 data + match_offset + match_len,
3683 @@ -198,104 +208,6 @@
3688 -ip_nat_mangle_udp_packet(struct sk_buff **skb,
3689 - struct ip_conntrack *ct,
3690 - enum ip_conntrack_info ctinfo,
3691 - unsigned int match_offset,
3692 - unsigned int match_len,
3694 - unsigned int rep_len)
3696 - struct iphdr *iph = (*skb)->nh.iph;
3697 - struct udphdr *udph = (void *)iph + iph->ihl * 4;
3698 - unsigned char *data;
3699 - u_int32_t udplen, newlen, newudplen;
3701 - udplen = (*skb)->len - iph->ihl*4;
3702 - newudplen = udplen - match_len + rep_len;
3703 - newlen = iph->ihl*4 + newudplen;
3705 - if (newlen > 65535) {
3706 - if (net_ratelimit())
3707 - printk("ip_nat_mangle_udp_packet: nat'ed packet "
3708 - "exceeds maximum packet size\n");
3712 - if ((*skb)->len != newlen) {
3713 - if (!ip_nat_resize_packet(skb, ct, ctinfo, newlen)) {
3714 - printk("resize_packet failed!!\n");
3719 - /* Alexey says: if a hook changes _data_ ... it can break
3720 - original packet sitting in tcp queue and this is fatal */
3721 - if (skb_cloned(*skb)) {
3722 - struct sk_buff *nskb = skb_copy(*skb, GFP_ATOMIC);
3724 - if (net_ratelimit())
3725 - printk("Out of memory cloning TCP packet\n");
3728 - /* Rest of kernel will get very unhappy if we pass it
3729 - a suddenly-orphaned skbuff */
3731 - skb_set_owner_w(nskb, (*skb)->sk);
3736 - /* skb may be copied !! */
3737 - iph = (*skb)->nh.iph;
3738 - udph = (void *)iph + iph->ihl*4;
3739 - data = (void *)udph + sizeof(struct udphdr);
3741 - if (rep_len != match_len)
3742 - /* move post-replacement */
3743 - memmove(data + match_offset + rep_len,
3744 - data + match_offset + match_len,
3745 - (*skb)->tail - (data + match_offset + match_len));
3747 - /* insert data from buffer */
3748 - memcpy(data + match_offset, rep_buffer, rep_len);
3750 - /* update skb info */
3751 - if (newlen > (*skb)->len) {
3752 - DEBUGP("ip_nat_mangle_udp_packet: Extending packet by "
3753 - "%u to %u bytes\n", newlen - (*skb)->len, newlen);
3754 - skb_put(*skb, newlen - (*skb)->len);
3756 - DEBUGP("ip_nat_mangle_udp_packet: Shrinking packet from "
3757 - "%u to %u bytes\n", (*skb)->len, newlen);
3758 - skb_trim(*skb, newlen);
3761 - /* update the length of the UDP and IP packets to the new values*/
3762 - udph->len = htons((*skb)->len - iph->ihl*4);
3763 - iph->tot_len = htons(newlen);
3765 - /* fix udp checksum if udp checksum was previously calculated */
3766 - if ((*skb)->csum != 0) {
3767 - (*skb)->csum = csum_partial((char *)udph +
3768 - sizeof(struct udphdr),
3769 - newudplen - sizeof(struct udphdr),
3773 - udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr,
3774 - newudplen, IPPROTO_UDP,
3775 - csum_partial((char *)udph,
3776 - sizeof(struct udphdr),
3780 - ip_send_check(iph);
3785 /* Adjust one found SACK option including checksum correction */
3787 sack_adjust(struct tcphdr *tcph,
3788 diff -Nurb linux/net/ipv4/netfilter/ip_nat_mms.c linux.stock/net/ipv4/netfilter/ip_nat_mms.c
3789 --- linux/net/ipv4/netfilter/ip_nat_mms.c 2003-07-04 04:12:31.000000000 -0400
3790 +++ linux.stock/net/ipv4/netfilter/ip_nat_mms.c 1969-12-31 19:00:00.000000000 -0500
3792 -/* MMS extension for TCP NAT alteration.
3793 - * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
3794 - * based on ip_nat_ftp.c and ip_nat_irc.c
3796 - * ip_nat_mms.c v0.3 2002-09-22
3798 - * This program is free software; you can redistribute it and/or
3799 - * modify it under the terms of the GNU General Public License
3800 - * as published by the Free Software Foundation; either version
3801 - * 2 of the License, or (at your option) any later version.
3803 - * Module load syntax:
3804 - * insmod ip_nat_mms.o ports=port1,port2,...port<MAX_PORTS>
3806 - * Please give the ports of all MMS servers You wish to connect to.
3807 - * If you don't specify ports, the default will be TCP port 1755.
3809 - * More info on MMS protocol, firewalls and NAT:
3810 - * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp
3811 - * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp
3813 - * The SDP project people are reverse-engineering MMS:
3814 - * http://get.to/sdp
3818 -#include <linux/module.h>
3819 -#include <linux/netfilter_ipv4.h>
3820 -#include <linux/ip.h>
3821 -#include <linux/tcp.h>
3822 -#include <net/tcp.h>
3823 -#include <linux/netfilter_ipv4/ip_nat.h>
3824 -#include <linux/netfilter_ipv4/ip_nat_helper.h>
3825 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
3826 -#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
3827 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
3829 -#define DEBUGP(format, args...)
3830 -#define DUMP_BYTES(address, counter)
3832 -#define MAX_PORTS 8
3833 -static int ports[MAX_PORTS];
3834 -static int ports_c = 0;
3837 -MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
3840 -MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
3841 -MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) NAT module");
3842 -MODULE_LICENSE("GPL");
3844 -DECLARE_LOCK_EXTERN(ip_mms_lock);
3847 -static int mms_data_fixup(const struct ip_ct_mms_expect *ct_mms_info,
3848 - struct ip_conntrack *ct,
3849 - struct sk_buff **pskb,
3850 - enum ip_conntrack_info ctinfo,
3851 - struct ip_conntrack_expect *expect)
3854 - struct ip_conntrack_tuple t;
3855 - struct iphdr *iph = (*pskb)->nh.iph;
3856 - struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
3857 - char *data = (char *)tcph + tcph->doff * 4;
3858 - int i, j, k, port;
3859 - u_int16_t mms_proto;
3861 - u_int32_t *mms_chunkLenLV = (u_int32_t *)(data + MMS_SRV_CHUNKLENLV_OFFSET);
3862 - u_int32_t *mms_chunkLenLM = (u_int32_t *)(data + MMS_SRV_CHUNKLENLM_OFFSET);
3863 - u_int32_t *mms_messageLength = (u_int32_t *)(data + MMS_SRV_MESSAGELENGTH_OFFSET);
3867 - char buffer[28]; /* "\\255.255.255.255\UDP\65635" * 2 (for unicode) */
3868 - char unicode_buffer[75]; /* 27*2 (unicode) + 20 + 1 */
3869 - char proto_string[6];
3871 - MUST_BE_LOCKED(&ip_mms_lock);
3873 - /* what was the protocol again ? */
3874 - mms_proto = expect->tuple.dst.protonum;
3875 - sprintf(proto_string, "%u", mms_proto);
3877 - DEBUGP("ip_nat_mms: mms_data_fixup: info (seq %u + %u) in %u, proto %s\n",
3878 - expect->seq, ct_mms_info->len, ntohl(tcph->seq),
3879 - mms_proto == IPPROTO_UDP ? "UDP"
3880 - : mms_proto == IPPROTO_TCP ? "TCP":proto_string);
3882 - newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
3884 - /* Alter conntrack's expectations. */
3885 - t = expect->tuple;
3887 - for (port = ct_mms_info->port; port != 0; port++) {
3888 - t.dst.u.tcp.port = htons(port);
3889 - if (ip_conntrack_change_expect(expect, &t) == 0) {
3890 - DEBUGP("ip_nat_mms: mms_data_fixup: using port %d\n", port);
3898 - sprintf(buffer, "\\\\%u.%u.%u.%u\\%s\\%u",
3900 - expect->tuple.dst.protonum == IPPROTO_UDP ? "UDP"
3901 - : expect->tuple.dst.protonum == IPPROTO_TCP ? "TCP":proto_string,
3903 - DEBUGP("ip_nat_mms: new unicode string=%s\n", buffer);
3905 - memset(unicode_buffer, 0, sizeof(char)*75);
3907 - for (i=0; i<strlen(buffer); ++i)
3908 - *(unicode_buffer+i*2)=*(buffer+i);
3910 - DEBUGP("ip_nat_mms: mms_data_fixup: padding: %u len: %u\n", ct_mms_info->padding, ct_mms_info->len);
3911 - DEBUGP("ip_nat_mms: mms_data_fixup: offset: %u\n", MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len);
3912 - DUMP_BYTES(data+MMS_SRV_UNICODE_STRING_OFFSET, 60);
3914 - /* add end of packet to it */
3915 - for (j=0; j<ct_mms_info->padding; ++j) {
3916 - DEBUGP("ip_nat_mms: mms_data_fixup: i=%u j=%u byte=%u\n",
3917 - i, j, (u8)*(data+MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len+j));
3918 - *(unicode_buffer+i*2+j) = *(data+MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len+j);
3921 - /* pad with zeroes at the end ? see explanation of weird math below */
3922 - zero_padding = (8-(strlen(buffer)*2 + ct_mms_info->padding + 4)%8)%8;
3923 - for (k=0; k<zero_padding; ++k)
3924 - *(unicode_buffer+i*2+j+k)= (char)0;
3926 - DEBUGP("ip_nat_mms: mms_data_fixup: zero_padding = %u\n", zero_padding);
3927 - DEBUGP("ip_nat_mms: original=> chunkLenLV=%u chunkLenLM=%u messageLength=%u\n",
3928 - *mms_chunkLenLV, *mms_chunkLenLM, *mms_messageLength);
3930 - /* explanation, before I forget what I did:
3931 - strlen(buffer)*2 + ct_mms_info->padding + 4 must be divisable by 8;
3932 - divide by 8 and add 3 to compute the mms_chunkLenLM field,
3933 - but note that things may have to be padded with zeroes to align by 8
3934 - bytes, hence we add 7 and divide by 8 to get the correct length */
3935 - *mms_chunkLenLM = (u_int32_t) (3+(strlen(buffer)*2+ct_mms_info->padding+11)/8);
3936 - *mms_chunkLenLV = *mms_chunkLenLM+2;
3937 - *mms_messageLength = *mms_chunkLenLV*8;
3939 - DEBUGP("ip_nat_mms: modified=> chunkLenLV=%u chunkLenLM=%u messageLength=%u\n",
3940 - *mms_chunkLenLV, *mms_chunkLenLM, *mms_messageLength);
3942 - ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
3943 - expect->seq - ntohl(tcph->seq),
3944 - ct_mms_info->len + ct_mms_info->padding, unicode_buffer,
3945 - strlen(buffer)*2 + ct_mms_info->padding + zero_padding);
3946 - DUMP_BYTES(unicode_buffer, 60);
3951 -static unsigned int
3952 -mms_nat_expected(struct sk_buff **pskb,
3953 - unsigned int hooknum,
3954 - struct ip_conntrack *ct,
3955 - struct ip_nat_info *info)
3957 - struct ip_nat_multi_range mr;
3958 - u_int32_t newdstip, newsrcip, newip;
3960 - struct ip_conntrack *master = master_ct(ct);
3962 - IP_NF_ASSERT(info);
3963 - IP_NF_ASSERT(master);
3965 - IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum))));
3967 - DEBUGP("ip_nat_mms: mms_nat_expected: We have a connection!\n");
3969 - newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
3970 - newsrcip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
3971 - DEBUGP("ip_nat_mms: mms_nat_expected: hook %s: newsrc->newdst %u.%u.%u.%u->%u.%u.%u.%u\n",
3972 - hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
3973 - : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
3974 - : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???",
3975 - NIPQUAD(newsrcip), NIPQUAD(newdstip));
3977 - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC)
3982 - DEBUGP("ip_nat_mms: mms_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip));
3985 - /* We don't want to manip the per-protocol, just the IPs. */
3986 - mr.range[0].flags = IP_NAT_RANGE_MAP_IPS;
3987 - mr.range[0].min_ip = mr.range[0].max_ip = newip;
3989 - return ip_nat_setup_info(ct, &mr, hooknum);
3993 -static unsigned int mms_nat_help(struct ip_conntrack *ct,
3994 - struct ip_conntrack_expect *exp,
3995 - struct ip_nat_info *info,
3996 - enum ip_conntrack_info ctinfo,
3997 - unsigned int hooknum,
3998 - struct sk_buff **pskb)
4000 - struct iphdr *iph = (*pskb)->nh.iph;
4001 - struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
4002 - unsigned int datalen;
4004 - struct ip_ct_mms_expect *ct_mms_info;
4007 - DEBUGP("ip_nat_mms: no exp!!");
4009 - ct_mms_info = &exp->help.exp_mms_info;
4011 - /* Only mangle things once: original direction in POST_ROUTING
4012 - and reply direction on PRE_ROUTING. */
4013 - dir = CTINFO2DIR(ctinfo);
4014 - if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
4015 - ||(hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
4016 - DEBUGP("ip_nat_mms: mms_nat_help: not touching dir %s at hook %s\n",
4017 - dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
4018 - hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
4019 - : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
4020 - : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
4023 - DEBUGP("ip_nat_mms: mms_nat_help: beyond not touching (dir %s at hook %s)\n",
4024 - dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
4025 - hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
4026 - : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
4027 - : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
4029 - datalen = (*pskb)->len - iph->ihl * 4 - tcph->doff * 4;
4031 - DEBUGP("ip_nat_mms: mms_nat_help: %u+%u=%u %u %u\n", exp->seq, ct_mms_info->len,
4032 - exp->seq + ct_mms_info->len,
4034 - ntohl(tcph->seq) + datalen);
4036 - LOCK_BH(&ip_mms_lock);
4037 - /* Check wether the whole IP/proto/port pattern is carried in the payload */
4038 - if (between(exp->seq + ct_mms_info->len,
4040 - ntohl(tcph->seq) + datalen)) {
4041 - if (!mms_data_fixup(ct_mms_info, ct, pskb, ctinfo, exp)) {
4042 - UNLOCK_BH(&ip_mms_lock);
4046 - /* Half a match? This means a partial retransmisison.
4047 - It's a cracker being funky. */
4048 - if (net_ratelimit()) {
4049 - printk("ip_nat_mms: partial packet %u/%u in %u/%u\n",
4050 - exp->seq, ct_mms_info->len,
4052 - ntohl(tcph->seq) + datalen);
4054 - UNLOCK_BH(&ip_mms_lock);
4057 - UNLOCK_BH(&ip_mms_lock);
4062 -static struct ip_nat_helper mms[MAX_PORTS];
4063 -static char mms_names[MAX_PORTS][10];
4065 -/* Not __exit: called from init() */
4066 -static void fini(void)
4070 - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
4071 - DEBUGP("ip_nat_mms: unregistering helper for port %d\n", ports[i]);
4072 - ip_nat_helper_unregister(&mms[i]);
4076 -static int __init init(void)
4081 - if (ports[0] == 0)
4082 - ports[0] = MMS_PORT;
4084 - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
4086 - memset(&mms[i], 0, sizeof(struct ip_nat_helper));
4088 - mms[i].tuple.dst.protonum = IPPROTO_TCP;
4089 - mms[i].tuple.src.u.tcp.port = htons(ports[i]);
4090 - mms[i].mask.dst.protonum = 0xFFFF;
4091 - mms[i].mask.src.u.tcp.port = 0xFFFF;
4092 - mms[i].help = mms_nat_help;
4093 - mms[i].me = THIS_MODULE;
4095 - mms[i].expect = mms_nat_expected;
4097 - tmpname = &mms_names[i][0];
4098 - if (ports[i] == MMS_PORT)
4099 - sprintf(tmpname, "mms");
4101 - sprintf(tmpname, "mms-%d", i);
4102 - mms[i].name = tmpname;
4104 - DEBUGP("ip_nat_mms: register helper for port %d\n",
4106 - ret = ip_nat_helper_register(&mms[i]);
4109 - printk("ip_nat_mms: error registering "
4110 - "helper for port %d\n", ports[i]);
4122 diff -Nurb linux/net/ipv4/netfilter/ip_nat_pptp.c linux.stock/net/ipv4/netfilter/ip_nat_pptp.c
4123 --- linux/net/ipv4/netfilter/ip_nat_pptp.c 2003-07-04 04:12:31.000000000 -0400
4124 +++ linux.stock/net/ipv4/netfilter/ip_nat_pptp.c 1969-12-31 19:00:00.000000000 -0500
4127 - * ip_nat_pptp.c - Version 1.11
4129 - * NAT support for PPTP (Point to Point Tunneling Protocol).
4130 - * PPTP is a a protocol for creating virtual private networks.
4131 - * It is a specification defined by Microsoft and some vendors
4132 - * working with Microsoft. PPTP is built on top of a modified
4133 - * version of the Internet Generic Routing Encapsulation Protocol.
4134 - * GRE is defined in RFC 1701 and RFC 1702. Documentation of
4135 - * PPTP can be found in RFC 2637
4137 - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
4139 - * Development of this code funded by Astaro AG (http://www.astaro.com/)
4141 - * TODO: - Support for multiple calls within one session
4142 - * (needs netfilter newnat code)
4143 - * - NAT to a unique tuple, not to TCP source port
4144 - * (needs netfilter tuple reservation)
4145 - * - Support other NAT scenarios than SNAT of PNS
4149 -#include <linux/config.h>
4150 -#include <linux/module.h>
4151 -#include <linux/ip.h>
4152 -#include <linux/tcp.h>
4153 -#include <net/tcp.h>
4154 -#include <linux/netfilter_ipv4/ip_nat.h>
4155 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
4156 -#include <linux/netfilter_ipv4/ip_nat_helper.h>
4157 -#include <linux/netfilter_ipv4/ip_nat_pptp.h>
4158 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
4159 -#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
4160 -#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
4162 -MODULE_LICENSE("GPL");
4163 -MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
4164 -MODULE_DESCRIPTION("Netfilter NAT helper module for PPTP");
4167 -#define DEBUGP(format, args...)
4169 -static unsigned int
4170 -pptp_nat_expected(struct sk_buff **pskb,
4171 - unsigned int hooknum,
4172 - struct ip_conntrack *ct,
4173 - struct ip_nat_info *info)
4175 - struct ip_conntrack *master = master_ct(ct);
4176 - struct ip_nat_multi_range mr;
4177 - struct ip_ct_pptp_master *ct_pptp_info;
4178 - struct ip_nat_pptp *nat_pptp_info;
4179 - u_int32_t newsrcip, newdstip, newcid;
4182 - IP_NF_ASSERT(info);
4183 - IP_NF_ASSERT(master);
4184 - IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum))));
4186 - DEBUGP("we have a connection!\n");
4188 - LOCK_BH(&ip_pptp_lock);
4189 - ct_pptp_info = &master->help.ct_pptp_info;
4190 - nat_pptp_info = &master->nat.help.nat_pptp_info;
4192 - /* need to alter GRE tuple because conntrack expectfn() used 'wrong'
4193 - * (unmanipulated) values */
4194 - if (hooknum == NF_IP_PRE_ROUTING) {
4195 - DEBUGP("completing tuples with NAT info \n");
4196 - /* we can do this, since we're unconfirmed */
4197 - if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.gre.key ==
4198 - htonl(ct_pptp_info->pac_call_id)) {
4199 - /* assume PNS->PAC */
4200 - ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
4201 - htonl(nat_pptp_info->pns_call_id);
4202 -// ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.gre.key =
4203 -// htonl(nat_pptp_info->pac_call_id);
4204 - ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
4205 - htonl(nat_pptp_info->pns_call_id);
4207 - /* assume PAC->PNS */
4208 - DEBUGP("WRONG DIRECTION\n");
4209 - ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
4210 - htonl(nat_pptp_info->pac_call_id);
4211 - ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
4212 - htonl(nat_pptp_info->pns_call_id);
4216 - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) {
4217 - newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
4218 - newcid = htonl(master->nat.help.nat_pptp_info.pac_call_id);
4221 - mr.range[0].flags = IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED;
4222 - mr.range[0].min_ip = mr.range[0].max_ip = newdstip;
4223 - mr.range[0].min = mr.range[0].max =
4224 - ((union ip_conntrack_manip_proto ) { newcid });
4225 - DEBUGP("change dest ip to %u.%u.%u.%u\n",
4226 - NIPQUAD(newdstip));
4227 - DEBUGP("change dest key to 0x%x\n", ntohl(newcid));
4228 - ret = ip_nat_setup_info(ct, &mr, hooknum);
4230 - newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
4231 - /* nat_multi_range is in network byte order, and GRE tuple
4232 - * is 32 bits, not 16 like callID */
4233 - newcid = htonl(master->help.ct_pptp_info.pns_call_id);
4236 - mr.range[0].flags = IP_NAT_RANGE_MAP_IPS
4237 - |IP_NAT_RANGE_PROTO_SPECIFIED;
4238 - mr.range[0].min_ip = mr.range[0].max_ip = newsrcip;
4239 - mr.range[0].min = mr.range[0].max =
4240 - ((union ip_conntrack_manip_proto ) { newcid });
4241 - DEBUGP("change src ip to %u.%u.%u.%u\n",
4242 - NIPQUAD(newsrcip));
4243 - DEBUGP("change 'src' key to 0x%x\n", ntohl(newcid));
4244 - ret = ip_nat_setup_info(ct, &mr, hooknum);
4247 - UNLOCK_BH(&ip_pptp_lock);
4253 -/* outbound packets == from PNS to PAC */
4254 -static inline unsigned int
4255 -pptp_outbound_pkt(struct tcphdr *tcph, struct pptp_pkt_hdr *pptph,
4257 - struct ip_conntrack *ct,
4258 - enum ip_conntrack_info ctinfo,
4259 - struct ip_conntrack_expect *exp)
4262 - struct PptpControlHeader *ctlh;
4263 - union pptp_ctrl_union pptpReq;
4264 - struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
4265 - struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
4267 - u_int16_t msg, *cid = NULL, new_callid;
4269 - ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
4270 - pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh));
4272 - new_callid = htons(ct_pptp_info->pns_call_id);
4274 - switch (msg = ntohs(ctlh->messageType)) {
4275 - case PPTP_OUT_CALL_REQUEST:
4276 - cid = &pptpReq.ocreq->callID;
4278 - /* save original call ID in nat_info */
4279 - nat_pptp_info->pns_call_id = ct_pptp_info->pns_call_id;
4281 - new_callid = tcph->source;
4282 - /* save new call ID in ct info */
4283 - ct_pptp_info->pns_call_id = ntohs(new_callid);
4285 - case PPTP_IN_CALL_REPLY:
4286 - cid = &pptpReq.icreq->callID;
4288 - case PPTP_CALL_CLEAR_REQUEST:
4289 - cid = &pptpReq.clrreq->callID;
4291 - case PPTP_CALL_DISCONNECT_NOTIFY:
4292 - cid = &pptpReq.disc->callID;
4296 - DEBUGP("unknown outbound packet 0x%04x:%s\n", msg,
4297 - (msg <= PPTP_MSG_MAX)? strMName[msg]:strMName[0]);
4298 - /* fall through */
4300 - case PPTP_SET_LINK_INFO:
4301 - /* only need to NAT in case PAC is behind NAT box */
4302 - case PPTP_START_SESSION_REQUEST:
4303 - case PPTP_START_SESSION_REPLY:
4304 - case PPTP_STOP_SESSION_REQUEST:
4305 - case PPTP_STOP_SESSION_REPLY:
4306 - case PPTP_ECHO_REQUEST:
4307 - case PPTP_ECHO_REPLY:
4308 - /* no need to alter packet */
4312 - IP_NF_ASSERT(cid);
4314 - DEBUGP("altering call id from 0x%04x to 0x%04x\n",
4315 - ntohs(*cid), ntohs(new_callid));
4316 - /* mangle packet */
4317 - tcph->check = ip_nat_cheat_check(*cid^0xFFFF,
4318 - new_callid, tcph->check);
4319 - *cid = new_callid;
4324 -/* inbound packets == from PAC to PNS */
4325 -static inline unsigned int
4326 -pptp_inbound_pkt(struct tcphdr *tcph, struct pptp_pkt_hdr *pptph,
4328 - struct ip_conntrack *ct,
4329 - enum ip_conntrack_info ctinfo,
4330 - struct ip_conntrack_expect *oldexp)
4332 - struct PptpControlHeader *ctlh;
4333 - union pptp_ctrl_union pptpReq;
4334 - struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
4335 - struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
4337 - u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL;
4338 - u_int32_t old_dst_ip;
4340 - struct ip_conntrack_tuple t;
4342 - ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
4343 - pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh));
4345 - new_pcid = htons(nat_pptp_info->pns_call_id);
4347 - switch (msg = ntohs(ctlh->messageType)) {
4348 - case PPTP_OUT_CALL_REPLY:
4349 - pcid = &pptpReq.ocack->peersCallID;
4350 - cid = &pptpReq.ocack->callID;
4352 - DEBUGP("outcall but no expectation\n");
4355 - old_dst_ip = oldexp->tuple.dst.ip;
4356 - t = oldexp->tuple;
4358 - /* save original PAC call ID in nat_info */
4359 - nat_pptp_info->pac_call_id = ct_pptp_info->pac_call_id;
4361 - /* store new callID in ct_info, so conntrack works */
4362 - //ct_pptp_info->pac_call_id = ntohs(tcph->source);
4363 - //new_cid = htons(ct_pptp_info->pac_call_id);
4365 - /* alter expectation */
4366 - if (t.dst.ip == ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip) {
4367 - /* expectation for PNS->PAC direction */
4368 - t.dst.u.gre.key = htonl(ct_pptp_info->pac_call_id);
4369 - t.src.u.gre.key = htonl(nat_pptp_info->pns_call_id);
4371 - /* expectation for PAC->PNS direction */
4372 - t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
4373 - DEBUGP("EXPECTATION IN WRONG DIRECTION!!!\n");
4376 - if (!ip_conntrack_change_expect(oldexp, &t)) {
4377 - DEBUGP("successfully changed expect\n");
4379 - DEBUGP("can't change expect\n");
4381 - ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_orig, &t);
4382 - /* reply keymap */
4383 - t.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip;
4384 - t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
4385 - t.src.u.gre.key = htonl(nat_pptp_info->pac_call_id);
4386 - t.dst.u.gre.key = htonl(ct_pptp_info->pns_call_id);
4387 - ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_reply, &t);
4390 - case PPTP_IN_CALL_CONNECT:
4391 - pcid = &pptpReq.iccon->peersCallID;
4394 - old_dst_ip = oldexp->tuple.dst.ip;
4395 - t = oldexp->tuple;
4397 - /* alter expectation, no need for callID */
4398 - if (t.dst.ip == ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip) {
4399 - /* expectation for PNS->PAC direction */
4400 - t.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
4402 - /* expectation for PAC->PNS direction */
4403 - t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
4406 - if (!ip_conntrack_change_expect(oldexp, &t)) {
4407 - DEBUGP("successfully changed expect\n");
4409 - DEBUGP("can't change expect\n");
4412 - case PPTP_IN_CALL_REQUEST:
4413 - /* only need to nat in case PAC is behind NAT box */
4415 - case PPTP_WAN_ERROR_NOTIFY:
4416 - pcid = &pptpReq.wanerr->peersCallID;
4419 - DEBUGP("unknown inbound packet %s\n",
4420 - (msg <= PPTP_MSG_MAX)? strMName[msg]:strMName[0]);
4421 - /* fall through */
4423 - case PPTP_START_SESSION_REQUEST:
4424 - case PPTP_START_SESSION_REPLY:
4425 - case PPTP_STOP_SESSION_REQUEST:
4426 - case PPTP_ECHO_REQUEST:
4427 - case PPTP_ECHO_REPLY:
4428 - /* no need to alter packet */
4432 - /* mangle packet */
4433 - IP_NF_ASSERT(pcid);
4434 - DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
4435 - ntohs(*pcid), ntohs(new_pcid));
4436 - tcph->check = ip_nat_cheat_check(*pcid^0xFFFF,
4437 - new_pcid, tcph->check);
4441 - IP_NF_ASSERT(cid);
4442 - DEBUGP("altering call id from 0x%04x to 0x%04x\n",
4443 - ntohs(*cid), ntohs(new_cid));
4444 - tcph->check = ip_nat_cheat_check(*cid^0xFFFF,
4445 - new_cid, tcph->check);
4449 - /* great, at least we don't need to resize packets */
4454 -static unsigned int tcp_help(struct ip_conntrack *ct,
4455 - struct ip_conntrack_expect *exp,
4456 - struct ip_nat_info *info,
4457 - enum ip_conntrack_info ctinfo,
4458 - unsigned int hooknum, struct sk_buff **pskb)
4460 - struct iphdr *iph = (*pskb)->nh.iph;
4461 - struct tcphdr *tcph = (void *) iph + iph->ihl*4;
4462 - unsigned int datalen = (*pskb)->len - iph->ihl*4 - tcph->doff*4;
4463 - struct pptp_pkt_hdr *pptph;
4468 - DEBUGP("entering\n");
4470 - /* Only mangle things once: original direction in POST_ROUTING
4471 - and reply direction on PRE_ROUTING. */
4472 - dir = CTINFO2DIR(ctinfo);
4473 - if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
4474 - || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) {
4475 - DEBUGP("Not touching dir %s at hook %s\n",
4476 - dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY",
4477 - hooknum == NF_IP_POST_ROUTING ? "POSTROUTING"
4478 - : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING"
4479 - : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???");
4483 - /* if packet is too small, just skip it */
4484 - if (datalen < sizeof(struct pptp_pkt_hdr)+
4485 - sizeof(struct PptpControlHeader)) {
4486 - DEBUGP("pptp packet too short\n");
4491 - pptph = (struct pptp_pkt_hdr *) ((void *)tcph + tcph->doff*4);
4492 - datalimit = (void *) pptph + datalen;
4494 - LOCK_BH(&ip_pptp_lock);
4496 - if (dir == IP_CT_DIR_ORIGINAL) {
4497 - /* reuqests sent by client to server (PNS->PAC) */
4498 - pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo, exp);
4500 - /* response from the server to the client (PAC->PNS) */
4501 - pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo, exp);
4504 - UNLOCK_BH(&ip_pptp_lock);
4509 -/* nat helper struct for control connection */
4510 -static struct ip_nat_helper pptp_tcp_helper = {
4512 - "pptp", IP_NAT_HELPER_F_ALWAYS, THIS_MODULE,
4513 - { { 0, { tcp: { port: __constant_htons(PPTP_CONTROL_PORT) } } },
4514 - { 0, { 0 }, IPPROTO_TCP } },
4515 - { { 0, { tcp: { port: 0xFFFF } } },
4516 - { 0, { 0 }, 0xFFFF } },
4517 - tcp_help, pptp_nat_expected };
4520 -static int __init init(void)
4522 - DEBUGP("init_module\n" );
4524 - if (ip_nat_helper_register(&pptp_tcp_helper))
4530 -static void __exit fini(void)
4532 - DEBUGP("cleanup_module\n" );
4533 - ip_nat_helper_unregister(&pptp_tcp_helper);
4538 diff -Nurb linux/net/ipv4/netfilter/ip_nat_proto_gre.c linux.stock/net/ipv4/netfilter/ip_nat_proto_gre.c
4539 --- linux/net/ipv4/netfilter/ip_nat_proto_gre.c 2003-07-04 04:12:31.000000000 -0400
4540 +++ linux.stock/net/ipv4/netfilter/ip_nat_proto_gre.c 1969-12-31 19:00:00.000000000 -0500
4543 - * ip_nat_proto_gre.c - Version 1.11
4545 - * NAT protocol helper module for GRE.
4547 - * GRE is a generic encapsulation protocol, which is generally not very
4548 - * suited for NAT, as it has no protocol-specific part as port numbers.
4550 - * It has an optional key field, which may help us distinguishing two
4551 - * connections between the same two hosts.
4553 - * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
4555 - * PPTP is built on top of a modified version of GRE, and has a mandatory
4556 - * field called "CallID", which serves us for the same purpose as the key
4557 - * field in plain GRE.
4559 - * Documentation about PPTP can be found in RFC 2637
4561 - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
4563 - * Development of this code funded by Astaro AG (http://www.astaro.com/)
4567 -#include <linux/config.h>
4568 -#include <linux/module.h>
4569 -#include <linux/ip.h>
4570 -#include <linux/netfilter_ipv4/ip_nat.h>
4571 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
4572 -#include <linux/netfilter_ipv4/ip_nat_protocol.h>
4573 -#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
4575 -MODULE_LICENSE("GPL");
4576 -MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
4577 -MODULE_DESCRIPTION("Netfilter NAT protocol helper module for GRE");
4579 -#define DEBUGP(x, args...)
4581 -/* is key in given range between min and max */
4583 -gre_in_range(const struct ip_conntrack_tuple *tuple,
4584 - enum ip_nat_manip_type maniptype,
4585 - const union ip_conntrack_manip_proto *min,
4586 - const union ip_conntrack_manip_proto *max)
4588 - return ntohl(tuple->src.u.gre.key) >= ntohl(min->gre.key)
4589 - && ntohl(tuple->src.u.gre.key) <= ntohl(max->gre.key);
4592 -/* generate unique tuple ... */
4594 -gre_unique_tuple(struct ip_conntrack_tuple *tuple,
4595 - const struct ip_nat_range *range,
4596 - enum ip_nat_manip_type maniptype,
4597 - const struct ip_conntrack *conntrack)
4599 - u_int32_t min, i, range_size;
4600 - u_int32_t key = 0, *keyptr;
4602 - if (maniptype == IP_NAT_MANIP_SRC)
4603 - keyptr = &tuple->src.u.gre.key;
4605 - keyptr = &tuple->dst.u.gre.key;
4607 - if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) {
4609 - switch (tuple->dst.u.gre.version) {
4611 - DEBUGP("NATing GRE version 0 (ct=%p)\n",
4614 - range_size = 0xffffffff;
4616 - case GRE_VERSION_PPTP:
4617 - DEBUGP("%p: NATing GRE PPTP\n",
4620 - range_size = 0xffff;
4623 - printk(KERN_WARNING "nat_gre: unknown GRE version\n");
4629 - min = ntohl(range->min.gre.key);
4630 - range_size = ntohl(range->max.gre.key) - min + 1;
4633 - DEBUGP("min = %u, range_size = %u\n", min, range_size);
4635 - for (i = 0; i < range_size; i++, key++) {
4636 - *keyptr = htonl(min + key % range_size);
4637 - if (!ip_nat_used_tuple(tuple, conntrack))
4641 - DEBUGP("%p: no NAT mapping\n", conntrack);
4646 -/* manipulate a GRE packet according to maniptype */
4648 -gre_manip_pkt(struct iphdr *iph, size_t len,
4649 - const struct ip_conntrack_manip *manip,
4650 - enum ip_nat_manip_type maniptype)
4652 - struct gre_hdr *greh = (struct gre_hdr *)((u_int32_t *)iph+iph->ihl);
4653 - struct gre_hdr_pptp *pgreh = (struct gre_hdr_pptp *) greh;
4655 - /* we only have destination manip of a packet, since 'source key'
4656 - * is not present in the packet itself */
4657 - if (maniptype == IP_NAT_MANIP_DST) {
4658 - /* key manipulation is always dest */
4659 - switch (greh->version) {
4662 - DEBUGP("can't nat GRE w/o key\n");
4666 - *(gre_csum(greh)) =
4667 - ip_nat_cheat_check(~*(gre_key(greh)),
4669 - *(gre_csum(greh)));
4671 - *(gre_key(greh)) = manip->u.gre.key;
4673 - case GRE_VERSION_PPTP:
4674 - DEBUGP("call_id -> 0x%04x\n",
4675 - ntohl(manip->u.gre.key));
4676 - pgreh->call_id = htons(ntohl(manip->u.gre.key));
4679 - DEBUGP("can't nat unknown GRE version\n");
4685 -/* print out a nat tuple */
4686 -static unsigned int
4687 -gre_print(char *buffer,
4688 - const struct ip_conntrack_tuple *match,
4689 - const struct ip_conntrack_tuple *mask)
4691 - unsigned int len = 0;
4693 - if (mask->dst.u.gre.version)
4694 - len += sprintf(buffer + len, "version=%d ",
4695 - ntohs(match->dst.u.gre.version));
4697 - if (mask->dst.u.gre.protocol)
4698 - len += sprintf(buffer + len, "protocol=0x%x ",
4699 - ntohs(match->dst.u.gre.protocol));
4701 - if (mask->src.u.gre.key)
4702 - len += sprintf(buffer + len, "srckey=0x%x ",
4703 - ntohl(match->src.u.gre.key));
4705 - if (mask->dst.u.gre.key)
4706 - len += sprintf(buffer + len, "dstkey=0x%x ",
4707 - ntohl(match->src.u.gre.key));
4712 -/* print a range of keys */
4713 -static unsigned int
4714 -gre_print_range(char *buffer, const struct ip_nat_range *range)
4716 - if (range->min.gre.key != 0
4717 - || range->max.gre.key != 0xFFFF) {
4718 - if (range->min.gre.key == range->max.gre.key)
4719 - return sprintf(buffer, "key 0x%x ",
4720 - ntohl(range->min.gre.key));
4722 - return sprintf(buffer, "keys 0x%u-0x%u ",
4723 - ntohl(range->min.gre.key),
4724 - ntohl(range->max.gre.key));
4729 -/* nat helper struct */
4730 -static struct ip_nat_protocol gre =
4731 - { { NULL, NULL }, "GRE", IPPROTO_GRE,
4739 -static int __init init(void)
4741 - if (ip_nat_protocol_register(&gre))
4747 -static void __exit fini(void)
4749 - ip_nat_protocol_unregister(&gre);
4754 diff -Nurb linux/net/ipv4/netfilter/ip_nat_standalone.c linux.stock/net/ipv4/netfilter/ip_nat_standalone.c
4755 --- linux/net/ipv4/netfilter/ip_nat_standalone.c 2003-07-04 04:12:31.000000000 -0400
4756 +++ linux.stock/net/ipv4/netfilter/ip_nat_standalone.c 2004-05-09 04:13:03.000000000 -0400
4758 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
4759 #include <linux/netfilter_ipv4/listhelp.h>
4762 +#define DEBUGP printk
4764 #define DEBUGP(format, args...)
4767 #define HOOKNAME(hooknum) ((hooknum) == NF_IP_POST_ROUTING ? "POST_ROUTING" \
4768 : ((hooknum) == NF_IP_PRE_ROUTING ? "PRE_ROUTING" \
4770 EXPORT_SYMBOL(ip_nat_helper_unregister);
4771 EXPORT_SYMBOL(ip_nat_cheat_check);
4772 EXPORT_SYMBOL(ip_nat_mangle_tcp_packet);
4773 -EXPORT_SYMBOL(ip_nat_mangle_udp_packet);
4774 EXPORT_SYMBOL(ip_nat_used_tuple);
4775 MODULE_LICENSE("GPL");
4776 diff -Nurb linux/net/ipv4/netfilter/ip_nat_tftp.c linux.stock/net/ipv4/netfilter/ip_nat_tftp.c
4777 --- linux/net/ipv4/netfilter/ip_nat_tftp.c 2003-07-04 04:12:31.000000000 -0400
4778 +++ linux.stock/net/ipv4/netfilter/ip_nat_tftp.c 1969-12-31 19:00:00.000000000 -0500
4781 - * Licensed under GNU GPL version 2 Copyright Magnus Boden <mb@ozaba.mine.nu>
4784 - * Thu 21 Mar 2002 Harald Welte <laforge@gnumonks.org>
4785 - * - Port to newnat API
4787 - * This module currently supports DNAT:
4788 - * iptables -t nat -A PREROUTING -d x.x.x.x -j DNAT --to-dest x.x.x.y
4791 - * iptables -t nat -A POSTROUTING { -j MASQUERADE , -j SNAT --to-source x.x.x.x }
4793 - * It has not been tested with
4794 - * -j SNAT --to-source x.x.x.x-x.x.x.y since I only have one external ip
4795 - * If you do test this please let me know if it works or not.
4799 -#include <linux/module.h>
4800 -#include <linux/netfilter_ipv4.h>
4801 -#include <linux/ip.h>
4802 -#include <linux/udp.h>
4804 -#include <linux/netfilter.h>
4805 -#include <linux/netfilter_ipv4/ip_tables.h>
4806 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
4807 -#include <linux/netfilter_ipv4/ip_conntrack_tftp.h>
4808 -#include <linux/netfilter_ipv4/ip_nat_helper.h>
4809 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
4811 -MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>");
4812 -MODULE_DESCRIPTION("Netfilter NAT helper for tftp");
4813 -MODULE_LICENSE("GPL");
4815 -#define MAX_PORTS 8
4817 -static int ports[MAX_PORTS];
4818 -static int ports_c = 0;
4820 -MODULE_PARM(ports,"1-" __MODULE_STRING(MAX_PORTS) "i");
4821 -MODULE_PARM_DESC(ports, "port numbers of tftp servers");
4824 -#define DEBUGP(format, args...)
4825 -static unsigned int
4826 -tftp_nat_help(struct ip_conntrack *ct,
4827 - struct ip_conntrack_expect *exp,
4828 - struct ip_nat_info *info,
4829 - enum ip_conntrack_info ctinfo,
4830 - unsigned int hooknum,
4831 - struct sk_buff **pskb)
4833 - int dir = CTINFO2DIR(ctinfo);
4834 - struct iphdr *iph = (*pskb)->nh.iph;
4835 - struct udphdr *udph = (void *)iph + iph->ihl * 4;
4836 - struct tftphdr *tftph = (void *)udph + 8;
4837 - struct ip_conntrack_tuple repl;
4839 - if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL)
4840 - || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY)))
4844 - DEBUGP("no conntrack expectation to modify\n");
4848 - switch (ntohs(tftph->opcode)) {
4849 - /* RRQ and WRQ works the same way */
4850 - case TFTP_OPCODE_READ:
4851 - case TFTP_OPCODE_WRITE:
4852 - repl = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
4854 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
4855 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
4856 - DEBUGP("expecting: ");
4857 - DUMP_TUPLE_RAW(&repl);
4858 - DUMP_TUPLE_RAW(&exp->mask);
4859 - ip_conntrack_change_expect(exp, &repl);
4862 - DEBUGP("Unknown opcode\n");
4868 -static unsigned int
4869 -tftp_nat_expected(struct sk_buff **pskb,
4870 - unsigned int hooknum,
4871 - struct ip_conntrack *ct,
4872 - struct ip_nat_info *info)
4874 - const struct ip_conntrack *master = ct->master->expectant;
4875 - const struct ip_conntrack_tuple *orig =
4876 - &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
4877 - struct ip_nat_multi_range mr;
4879 - IP_NF_ASSERT(info);
4880 - IP_NF_ASSERT(master);
4881 - IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum))));
4884 - mr.range[0].flags = IP_NAT_RANGE_MAP_IPS;
4886 - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) {
4887 - mr.range[0].min_ip = mr.range[0].max_ip = orig->dst.ip;
4888 - DEBUGP("orig: %u.%u.%u.%u:%u <-> %u.%u.%u.%u:%u "
4889 - "newsrc: %u.%u.%u.%u\n",
4890 - NIPQUAD((*pskb)->nh.iph->saddr), ntohs(udph->source),
4891 - NIPQUAD((*pskb)->nh.iph->daddr), ntohs(udph->dest),
4892 - NIPQUAD(orig->dst.ip));
4894 - mr.range[0].min_ip = mr.range[0].max_ip = orig->src.ip;
4895 - mr.range[0].min.udp.port = mr.range[0].max.udp.port =
4896 - orig->src.u.udp.port;
4897 - mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
4899 - DEBUGP("orig: %u.%u.%u.%u:%u <-> %u.%u.%u.%u:%u "
4900 - "newdst: %u.%u.%u.%u:%u\n",
4901 - NIPQUAD((*pskb)->nh.iph->saddr), ntohs(udph->source),
4902 - NIPQUAD((*pskb)->nh.iph->daddr), ntohs(udph->dest),
4903 - NIPQUAD(orig->src.ip), ntohs(orig->src.u.udp.port));
4906 - return ip_nat_setup_info(ct,&mr,hooknum);
4909 -static struct ip_nat_helper tftp[MAX_PORTS];
4910 -static char tftp_names[MAX_PORTS][10];
4912 -static void fini(void)
4916 - for (i = 0 ; i < ports_c; i++) {
4917 - DEBUGP("unregistering helper for port %d\n", ports[i]);
4918 - ip_nat_helper_unregister(&tftp[i]);
4922 -static int __init init(void)
4928 - ports[0] = TFTP_PORT;
4930 - for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
4931 - memset(&tftp[i], 0, sizeof(struct ip_nat_helper));
4933 - tftp[i].tuple.dst.protonum = IPPROTO_UDP;
4934 - tftp[i].tuple.src.u.udp.port = htons(ports[i]);
4935 - tftp[i].mask.dst.protonum = 0xFFFF;
4936 - tftp[i].mask.src.u.udp.port = 0xFFFF;
4937 - tftp[i].help = tftp_nat_help;
4938 - tftp[i].flags = 0;
4939 - tftp[i].me = THIS_MODULE;
4940 - tftp[i].expect = tftp_nat_expected;
4942 - tmpname = &tftp_names[i][0];
4943 - if (ports[i] == TFTP_PORT)
4944 - sprintf(tmpname, "tftp");
4946 - sprintf(tmpname, "tftp-%d", i);
4947 - tftp[i].name = tmpname;
4949 - DEBUGP("ip_nat_tftp: registering for port %d: name %s\n",
4950 - ports[i], tftp[i].name);
4951 - ret = ip_nat_helper_register(&tftp[i]);
4954 - printk("ip_nat_tftp: unable to register for port %d\n",
4966 diff -Nurb linux/net/ipv4/netfilter/ip_pool.c linux.stock/net/ipv4/netfilter/ip_pool.c
4967 --- linux/net/ipv4/netfilter/ip_pool.c 2003-07-04 04:12:31.000000000 -0400
4968 +++ linux.stock/net/ipv4/netfilter/ip_pool.c 1969-12-31 19:00:00.000000000 -0500
4970 -/* Kernel module for IP pool management */
4972 -#include <linux/module.h>
4973 -#include <linux/ip.h>
4974 -#include <linux/skbuff.h>
4975 -#include <linux/netfilter_ipv4/ip_tables.h>
4976 -#include <linux/netfilter_ipv4/ip_pool.h>
4977 -#include <linux/errno.h>
4978 -#include <asm/uaccess.h>
4979 -#include <asm/bitops.h>
4980 -#include <linux/interrupt.h>
4981 -#include <linux/spinlock.h>
4983 -#define DP(format, args...)
4985 -MODULE_LICENSE("GPL");
4988 -static int nr_pool = NR_POOL;/* overwrite this when loading module */
4991 - u_int32_t first_ip; /* host byte order, included in range */
4992 - u_int32_t last_ip; /* host byte order, included in range */
4993 - void *members; /* the bitmap proper */
4994 - int nr_use; /* total nr. of tests through this */
4995 - int nr_match; /* total nr. of matches through this */
4999 -static struct ip_pool *POOL;
5001 -static inline struct ip_pool *lookup(ip_pool_t index)
5003 - if (index < 0 || index >= nr_pool) {
5004 - DP("ip_pool:lookup: bad index %d\n", index);
5007 - return POOL+index;
5010 -int ip_pool_match(ip_pool_t index, u_int32_t addr)
5012 - struct ip_pool *pool = lookup(index);
5015 - if (!pool || !pool->members)
5017 - read_lock_bh(&pool->lock);
5018 - if (pool->members) {
5019 - if (addr >= pool->first_ip && addr <= pool->last_ip) {
5020 - addr -= pool->first_ip;
5021 - if (test_bit(addr, pool->members)) {
5023 -#ifdef CONFIG_IP_POOL_STATISTICS
5028 -#ifdef CONFIG_IP_POOL_STATISTICS
5032 - read_unlock_bh(&pool->lock);
5036 -static int pool_change(ip_pool_t index, u_int32_t addr, int isdel)
5038 - struct ip_pool *pool;
5041 - pool = lookup(index);
5042 - if ( !pool || !pool->members
5043 - || addr < pool->first_ip || addr > pool->last_ip)
5045 - read_lock_bh(&pool->lock);
5046 - if (pool->members && addr >= pool->first_ip && addr <= pool->last_ip) {
5047 - addr -= pool->first_ip;
5049 - ? (0 != test_and_clear_bit(addr, pool->members))
5050 - : (0 != test_and_set_bit(addr, pool->members));
5052 - read_unlock_bh(&pool->lock);
5056 -int ip_pool_mod(ip_pool_t index, u_int32_t addr, int isdel)
5058 - int res = pool_change(index,addr,isdel);
5060 - if (!isdel) res = !res;
5064 -static inline int bitmap_bytes(u_int32_t a, u_int32_t b)
5066 - return 4*((((b-a+8)/8)+3)/4);
5069 -static inline int poolbytes(ip_pool_t index)
5071 - struct ip_pool *pool = lookup(index);
5073 - return pool ? bitmap_bytes(pool->first_ip, pool->last_ip) : 0;
5076 -static int setpool(
5082 - struct ip_pool_request req;
5084 - DP("ip_pool:setpool: optval=%d, user=%p, len=%d\n", optval, user, len);
5085 - if (!capable(CAP_NET_ADMIN))
5087 - if (optval != SO_IP_POOL)
5089 - if (len != sizeof(req))
5091 - if (copy_from_user(&req, user, sizeof(req)) != 0)
5093 - printk("obsolete op - upgrade your ippool(8) utility.\n");
5097 -static int getpool(
5103 - struct ip_pool_request req;
5104 - struct ip_pool *pool;
5110 - DP("ip_pool:getpool: optval=%d, user=%p\n", optval, user);
5111 - if (!capable(CAP_NET_ADMIN))
5113 - if (optval != SO_IP_POOL)
5115 - if (*len != sizeof(req)) {
5118 - if (copy_from_user(&req, user, sizeof(req)) != 0)
5120 - DP("ip_pool:getpool op=%d, index=%d\n", req.op, req.index);
5121 - if (req.op < IP_POOL_BAD001) {
5122 - printk("obsolete op - upgrade your ippool(8) utility.\n");
5126 - case IP_POOL_HIGH_NR:
5127 - DP("ip_pool HIGH_NR\n");
5128 - req.index = IP_POOL_NONE;
5129 - for (i=0; i<nr_pool; i++)
5130 - if (POOL[i].members)
5132 - return copy_to_user(user, &req, sizeof(req));
5133 - case IP_POOL_LOOKUP:
5134 - DP("ip_pool LOOKUP\n");
5135 - pool = lookup(req.index);
5138 - if (!pool->members)
5140 - req.addr = htonl(pool->first_ip);
5141 - req.addr2 = htonl(pool->last_ip);
5142 - return copy_to_user(user, &req, sizeof(req));
5143 - case IP_POOL_USAGE:
5144 - DP("ip_pool USE\n");
5145 - pool = lookup(req.index);
5148 - if (!pool->members)
5150 - req.addr = pool->nr_use;
5151 - req.addr2 = pool->nr_match;
5152 - return copy_to_user(user, &req, sizeof(req));
5153 - case IP_POOL_TEST_ADDR:
5154 - DP("ip_pool TEST 0x%08x\n", req.addr);
5155 - pool = lookup(req.index);
5159 - read_lock_bh(&pool->lock);
5160 - if (!pool->members) {
5161 - DP("ip_pool TEST_ADDR no members in pool\n");
5163 - goto unlock_and_return_res;
5165 - req.addr = ntohl(req.addr);
5166 - if (req.addr < pool->first_ip) {
5167 - DP("ip_pool TEST_ADDR address < pool bounds\n");
5169 - goto unlock_and_return_res;
5171 - if (req.addr > pool->last_ip) {
5172 - DP("ip_pool TEST_ADDR address > pool bounds\n");
5174 - goto unlock_and_return_res;
5176 - req.addr = (0 != test_bit((req.addr - pool->first_ip),
5178 - read_unlock_bh(&pool->lock);
5179 - return copy_to_user(user, &req, sizeof(req));
5180 - case IP_POOL_FLUSH:
5181 - DP("ip_pool FLUSH not yet implemented.\n");
5183 - case IP_POOL_DESTROY:
5184 - DP("ip_pool DESTROY not yet implemented.\n");
5186 - case IP_POOL_INIT:
5187 - DP("ip_pool INIT 0x%08x-0x%08x\n", req.addr, req.addr2);
5188 - pool = lookup(req.index);
5191 - req.addr = ntohl(req.addr);
5192 - req.addr2 = ntohl(req.addr2);
5193 - if (req.addr > req.addr2) {
5194 - DP("ip_pool INIT bad ip range\n");
5197 - newbytes = bitmap_bytes(req.addr, req.addr2);
5198 - newmembers = kmalloc(newbytes, GFP_KERNEL);
5199 - if (!newmembers) {
5200 - DP("ip_pool INIT out of mem for %d bytes\n", newbytes);
5203 - memset(newmembers, 0, newbytes);
5204 - write_lock_bh(&pool->lock);
5205 - if (pool->members) {
5206 - DP("ip_pool INIT pool %d exists\n", req.index);
5207 - kfree(newmembers);
5209 - goto unlock_and_return_res;
5211 - pool->first_ip = req.addr;
5212 - pool->last_ip = req.addr2;
5214 - pool->nr_match = 0;
5215 - pool->members = newmembers;
5216 - write_unlock_bh(&pool->lock);
5218 - case IP_POOL_ADD_ADDR:
5219 - DP("ip_pool ADD_ADDR 0x%08x\n", req.addr);
5220 - req.addr = pool_change(req.index, ntohl(req.addr), 0);
5221 - return copy_to_user(user, &req, sizeof(req));
5222 - case IP_POOL_DEL_ADDR:
5223 - DP("ip_pool DEL_ADDR 0x%08x\n", req.addr);
5224 - req.addr = pool_change(req.index, ntohl(req.addr), 1);
5225 - return copy_to_user(user, &req, sizeof(req));
5227 - DP("ip_pool:getpool bad op %d\n", req.op);
5232 -unlock_and_return_res:
5234 - read_unlock_bh(&pool->lock);
5238 -static struct nf_sockopt_ops so_pool
5239 -= { { NULL, NULL }, PF_INET,
5240 - SO_IP_POOL, SO_IP_POOL+1, &setpool,
5241 - SO_IP_POOL, SO_IP_POOL+1, &getpool,
5244 -MODULE_PARM(nr_pool, "i");
5246 -static int __init init(void)
5251 - if (nr_pool < 1) {
5252 - printk("ip_pool module init: bad nr_pool %d\n", nr_pool);
5255 - POOL = kmalloc(nr_pool * sizeof(*POOL), GFP_KERNEL);
5257 - printk("ip_pool module init: out of memory for nr_pool %d\n",
5261 - for (i=0; i<nr_pool; i++) {
5262 - POOL[i].first_ip = 0;
5263 - POOL[i].last_ip = 0;
5264 - POOL[i].members = 0;
5265 - POOL[i].nr_use = 0;
5266 - POOL[i].nr_match = 0;
5267 - POOL[i].lock = RW_LOCK_UNLOCKED;
5269 - res = nf_register_sockopt(&so_pool);
5270 - DP("ip_pool:init %d pools, result %d\n", nr_pool, res);
5278 -static void __exit fini(void)
5282 - DP("ip_pool:fini BYEBYE\n");
5283 - nf_unregister_sockopt(&so_pool);
5284 - for (i=0; i<nr_pool; i++) {
5285 - if (POOL[i].members) {
5286 - kfree(POOL[i].members);
5287 - POOL[i].members = 0;
5292 - DP("ip_pool:fini these are the famous last words\n");
5298 diff -Nurb linux/net/ipv4/netfilter/ip_tables.c linux.stock/net/ipv4/netfilter/ip_tables.c
5299 --- linux/net/ipv4/netfilter/ip_tables.c 2003-07-04 04:12:31.000000000 -0400
5300 +++ linux.stock/net/ipv4/netfilter/ip_tables.c 2004-05-09 04:13:03.000000000 -0400
5302 #include <linux/netfilter_ipv4/lockhelp.h>
5303 #include <linux/netfilter_ipv4/listhelp.h>
5306 +/* All the better to debug you with... */
5311 /* Locking is simple: we assume at worst case there will be one packet
5312 in user context and one from bottom halves (or soft irq if Alexey's
5315 /* Size per table */
5317 + /* Number of entries: FIXME. --RR */
5318 unsigned int number;
5319 /* Initial number of entries. Needed for module usage count */
5320 unsigned int initial_entries;
5321 @@ -106,6 +112,11 @@
5322 #define TABLE_OFFSET(t,p) 0
5326 +#define down(x) do { printk("DOWN:%u:" #x "\n", __LINE__); down(x); } while(0)
5327 +#define down_interruptible(x) ({ int __r; printk("DOWNi:%u:" #x "\n", __LINE__); __r = down_interruptible(x); if (__r != 0) printk("ABORT-DOWNi:%u\n", __LINE__); __r; })
5328 +#define up(x) do { printk("UP:%u:" #x "\n", __LINE__); up(x); } while(0)
5331 /* Returns whether matches rule or not. */
5333 @@ -408,6 +419,12 @@
5338 + duprintf("find_inlist: searching for `%s' in %s.\n",
5339 + name, head == &ipt_target ? "ipt_target"
5340 + : head == &ipt_match ? "ipt_match"
5341 + : head == &ipt_tables ? "ipt_tables" : "UNKNOWN");
5344 *error = down_interruptible(mutex);
5347 newinfo->underflow[h] = underflows[h];
5350 + /* FIXME: underflows must be unconditional, standard verdicts
5351 + < 0 (not IPT_RETURN). --RR */
5353 /* Clear counters and comefrom */
5354 e->counters = ((struct ipt_counters) { 0, 0 });
5359 + /* FIXME: use iterator macros --RR */
5360 /* ... then go back and fix counters and names */
5361 for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
5363 @@ -1134,6 +1154,14 @@
5364 const struct ipt_counters addme[],
5368 + duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
5370 + (long unsigned int)e->counters.pcnt,
5371 + (long unsigned int)e->counters.bcnt,
5372 + (long unsigned int)addme[*i].pcnt,
5373 + (long unsigned int)addme[*i].bcnt);
5376 ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
5378 @@ -1495,6 +1523,7 @@
5382 + /* FIXME: Try tcp doff >> packet len against various stacks --RR */
5384 #define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg))
5386 @@ -1670,15 +1699,14 @@
5387 = { { NULL, NULL }, "icmp", &icmp_match, &icmp_checkentry, NULL };
5389 #ifdef CONFIG_PROC_FS
5390 -static inline int print_name(const char *i,
5391 +static inline int print_name(const struct ipt_table *t,
5392 off_t start_offset, char *buffer, int length,
5393 off_t *pos, unsigned int *count)
5395 if ((*count)++ >= start_offset) {
5396 unsigned int namelen;
5398 - namelen = sprintf(buffer + *pos, "%s\n",
5399 - i + sizeof(struct list_head));
5400 + namelen = sprintf(buffer + *pos, "%s\n", t->name);
5401 if (*pos + namelen > length) {
5402 /* Stop iterating */
5404 @@ -1696,7 +1724,7 @@
5405 if (down_interruptible(&ipt_mutex) != 0)
5408 - LIST_FIND(&ipt_tables, print_name, void *,
5409 + LIST_FIND(&ipt_tables, print_name, struct ipt_table *,
5410 offset, buffer, length, &pos, &count);
5413 @@ -1705,46 +1733,6 @@
5414 *start=(char *)((unsigned long)count-offset);
5418 -static int ipt_get_targets(char *buffer, char **start, off_t offset, int length)
5421 - unsigned int count = 0;
5423 - if (down_interruptible(&ipt_mutex) != 0)
5426 - LIST_FIND(&ipt_target, print_name, void *,
5427 - offset, buffer, length, &pos, &count);
5431 - *start = (char *)((unsigned long)count - offset);
5435 -static int ipt_get_matches(char *buffer, char **start, off_t offset, int length)
5438 - unsigned int count = 0;
5440 - if (down_interruptible(&ipt_mutex) != 0)
5443 - LIST_FIND(&ipt_match, print_name, void *,
5444 - offset, buffer, length, &pos, &count);
5448 - *start = (char *)((unsigned long)count - offset);
5452 -static struct { char *name; get_info_t *get_info; } ipt_proc_entry[] =
5453 -{ { "ip_tables_names", ipt_get_tables },
5454 - { "ip_tables_targets", ipt_get_targets },
5455 - { "ip_tables_matches", ipt_get_matches },
5457 #endif /*CONFIG_PROC_FS*/
5459 static int __init init(void)
5460 @@ -1770,20 +1758,14 @@
5461 #ifdef CONFIG_PROC_FS
5463 struct proc_dir_entry *proc;
5466 - for (i = 0; ipt_proc_entry[i].name; i++) {
5467 - proc = proc_net_create(ipt_proc_entry[i].name, 0,
5468 - ipt_proc_entry[i].get_info);
5469 + proc = proc_net_create("ip_tables_names", 0, ipt_get_tables);
5472 - proc_net_remove(ipt_proc_entry[i].name);
5473 nf_unregister_sockopt(&ipt_sockopts);
5476 proc->owner = THIS_MODULE;
5481 printk("ip_tables: (C) 2000-2002 Netfilter core team\n");
5482 @@ -1794,11 +1776,7 @@
5484 nf_unregister_sockopt(&ipt_sockopts);
5485 #ifdef CONFIG_PROC_FS
5488 - for (i = 0; ipt_proc_entry[i].name; i++)
5489 - proc_net_remove(ipt_proc_entry[i].name);
5491 + proc_net_remove("ip_tables_names");
5495 diff -Nurb linux/net/ipv4/netfilter/ipchains_core.c linux.stock/net/ipv4/netfilter/ipchains_core.c
5496 --- linux/net/ipv4/netfilter/ipchains_core.c 2003-07-04 04:12:31.000000000 -0400
5497 +++ linux.stock/net/ipv4/netfilter/ipchains_core.c 2004-05-09 04:13:03.000000000 -0400
5498 @@ -977,10 +977,17 @@
5499 || ftmp->ipfw.fw_dst.s_addr!=frwl->ipfw.fw_dst.s_addr
5500 || ftmp->ipfw.fw_smsk.s_addr!=frwl->ipfw.fw_smsk.s_addr
5501 || ftmp->ipfw.fw_dmsk.s_addr!=frwl->ipfw.fw_dmsk.s_addr
5503 + || ftmp->ipfw.fw_flg!=frwl->ipfw.fw_flg
5505 || ((ftmp->ipfw.fw_flg & ~IP_FW_F_MARKABS)
5506 != (frwl->ipfw.fw_flg & ~IP_FW_F_MARKABS))
5508 || ftmp->ipfw.fw_invflg!=frwl->ipfw.fw_invflg
5509 || ftmp->ipfw.fw_proto!=frwl->ipfw.fw_proto
5511 + || ftmp->ipfw.fw_mark!=frwl->ipfw.fw_mark
5513 || ftmp->ipfw.fw_redirpt!=frwl->ipfw.fw_redirpt
5514 || ftmp->ipfw.fw_spts[0]!=frwl->ipfw.fw_spts[0]
5515 || ftmp->ipfw.fw_spts[1]!=frwl->ipfw.fw_spts[1]
5516 @@ -1566,6 +1573,7 @@
5519 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
5520 + /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
5524 diff -Nurb linux/net/ipv4/netfilter/ipfwadm_core.c linux.stock/net/ipv4/netfilter/ipfwadm_core.c
5525 --- linux/net/ipv4/netfilter/ipfwadm_core.c 2003-10-14 04:09:33.000000000 -0400
5526 +++ linux.stock/net/ipv4/netfilter/ipfwadm_core.c 2004-05-09 04:13:03.000000000 -0400
5528 * license in recognition of the original copyright.
5531 - * $Id: ipfwadm_core.c,v 1.1.1.4 2003/10/14 08:09:33 sparq Exp $
5532 + * $Id: ipfwadm_core.c,v 1.9.2.2 2002/01/24 15:50:42 davem Exp $
5534 * Ported from BSD to Linux,
5535 * Alan Cox 22/Nov/1994.
5536 @@ -1205,6 +1205,7 @@
5539 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
5540 + /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
5543 return ip_chain_procinfo(IP_FW_ACCT, buffer,start, offset,length,
5544 @@ -1223,6 +1224,7 @@
5547 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
5548 + /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
5551 return ip_chain_procinfo(IP_FW_IN, buffer,start,offset,length,
5552 @@ -1237,6 +1239,7 @@
5555 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
5556 + /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
5559 return ip_chain_procinfo(IP_FW_OUT, buffer,start,offset,length,
5560 @@ -1251,6 +1254,7 @@
5563 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29)
5564 + /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */
5567 return ip_chain_procinfo(IP_FW_FWD, buffer,start,offset,length,
5568 diff -Nurb linux/net/ipv4/netfilter/ipt_ECN.c linux.stock/net/ipv4/netfilter/ipt_ECN.c
5569 --- linux/net/ipv4/netfilter/ipt_ECN.c 2003-10-14 04:02:57.000000000 -0400
5570 +++ linux.stock/net/ipv4/netfilter/ipt_ECN.c 2004-05-09 04:13:03.000000000 -0400
5574 if (diffs[0] != *tcpflags) {
5575 - diffs[0] = diffs[0] ^ 0xFFFF;
5576 - diffs[1] = *tcpflags;
5577 + diffs[0] = htons(diffs[0]) ^ 0xFFFF;
5578 + diffs[1] = htons(*tcpflags);
5579 tcph->check = csum_fold(csum_partial((char *)diffs,
5581 tcph->check^0xFFFF));
5582 diff -Nurb linux/net/ipv4/netfilter/ipt_LOG.c linux.stock/net/ipv4/netfilter/ipt_LOG.c
5583 --- linux/net/ipv4/netfilter/ipt_LOG.c 2003-07-04 04:12:31.000000000 -0400
5584 +++ linux.stock/net/ipv4/netfilter/ipt_LOG.c 2004-05-09 04:13:03.000000000 -0400
5586 #include <net/route.h>
5587 #include <linux/netfilter_ipv4/ipt_LOG.h>
5590 +#define DEBUGP printk
5592 #define DEBUGP(format, args...)
5598 +}; /* FIXME evil kludge */
5600 /* Use lock to serialize, so printks don't overlap */
5601 static spinlock_t log_lock = SPIN_LOCK_UNLOCKED;
5602 diff -Nurb linux/net/ipv4/netfilter/ipt_REJECT.c linux.stock/net/ipv4/netfilter/ipt_REJECT.c
5603 --- linux/net/ipv4/netfilter/ipt_REJECT.c 2003-07-04 04:12:31.000000000 -0400
5604 +++ linux.stock/net/ipv4/netfilter/ipt_REJECT.c 2004-05-09 04:13:03.000000000 -0400
5606 #include <linux/module.h>
5607 #include <linux/skbuff.h>
5608 #include <linux/ip.h>
5609 -#include <linux/udp.h>
5610 -#include <linux/icmp.h>
5611 #include <net/icmp.h>
5613 #include <net/tcp.h>
5615 #include <linux/netfilter_ipv4/ip_tables.h>
5616 #include <linux/netfilter_ipv4/ipt_REJECT.h>
5619 +#define DEBUGP printk
5621 #define DEBUGP(format, args...)
5624 /* If the original packet is part of a connection, but the connection
5625 is not confirmed, our manufactured reply will not be associated
5627 static void send_unreach(struct sk_buff *skb_in, int code)
5630 - struct udphdr *udph;
5631 struct icmphdr *icmph;
5632 struct sk_buff *nskb;
5638 + /* FIXME: Use sysctl number. --RR */
5639 if (!xrlim_allow(&rt->u.dst, 1*HZ))
5642 @@ -184,19 +186,6 @@
5643 if (iph->frag_off&htons(IP_OFFSET))
5646 - /* if UDP checksum is set, verify it's correct */
5647 - if (iph->protocol == IPPROTO_UDP
5648 - && skb_in->tail-(u8*)iph >= sizeof(struct udphdr)) {
5649 - int datalen = skb_in->len - (iph->ihl<<2);
5650 - udph = (struct udphdr *)((char *)iph + (iph->ihl<<2));
5652 - && csum_tcpudp_magic(iph->saddr, iph->daddr,
5653 - datalen, IPPROTO_UDP,
5654 - csum_partial((char *)udph, datalen,
5659 /* If we send an ICMP error to an ICMP error a mess would result.. */
5660 if (iph->protocol == IPPROTO_ICMP
5661 && skb_in->tail-(u8*)iph >= sizeof(struct icmphdr)) {
5663 /* Copy as much of original packet as will fit */
5664 data = skb_put(nskb,
5665 length - sizeof(struct iphdr) - sizeof(struct icmphdr));
5666 + /* FIXME: won't work with nonlinear skbs --RR */
5667 memcpy(data, skb_in->nh.iph,
5668 length - sizeof(struct iphdr) - sizeof(struct icmphdr));
5669 icmph->checksum = ip_compute_csum((unsigned char *)icmph,
5670 diff -Nurb linux/net/ipv4/netfilter/ipt_ULOG.c linux.stock/net/ipv4/netfilter/ipt_ULOG.c
5671 --- linux/net/ipv4/netfilter/ipt_ULOG.c 2003-07-04 04:12:32.000000000 -0400
5672 +++ linux.stock/net/ipv4/netfilter/ipt_ULOG.c 2004-05-09 04:13:03.000000000 -0400
5674 * module loadtime -HW
5675 * 2002/07/07 remove broken nflog_rcv() function -HW
5676 * 2002/08/29 fix shifted/unshifted nlgroup bug -HW
5677 - * 2002/10/30 fix uninitialized mac_len field - <Anders K. Pedersen>
5679 * Released under the terms of the GPL
5682 * Specify, after how many clock ticks (intel: 100 per second) the queue
5683 * should be flushed even if it is not full yet.
5685 - * ipt_ULOG.c,v 1.22 2002/10/30 09:07:31 laforge Exp
5686 + * ipt_ULOG.c,v 1.21 2002/08/29 10:54:34 laforge Exp
5689 #include <linux/module.h>
5691 #define ULOG_NL_EVENT 111 /* Harald's favorite number */
5692 #define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */
5695 +#define DEBUGP(format, args...) printk(__FILE__ ":" __FUNCTION__ ":" \
5698 #define DEBUGP(format, args...)
5701 #define PRINTR(format, args...) do { if (net_ratelimit()) printk(format, ## args); } while (0)
5704 && in->hard_header_len <= ULOG_MAC_LEN) {
5705 memcpy(pm->mac, (*pskb)->mac.raw, in->hard_header_len);
5706 pm->mac_len = in->hard_header_len;
5712 strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
5713 diff -Nurb linux/net/ipv4/netfilter/ipt_multiport.c linux.stock/net/ipv4/netfilter/ipt_multiport.c
5714 --- linux/net/ipv4/netfilter/ipt_multiport.c 2003-07-04 04:12:32.000000000 -0400
5715 +++ linux.stock/net/ipv4/netfilter/ipt_multiport.c 2004-05-09 04:13:03.000000000 -0400
5717 #include <linux/netfilter_ipv4/ipt_multiport.h>
5718 #include <linux/netfilter_ipv4/ip_tables.h>
5721 +#define duprintf(format, args...) printk(format , ## args)
5723 #define duprintf(format, args...)
5726 /* Returns 1 if the port is matched by the test, 0 otherwise. */
5730 /* Must specify proto == TCP/UDP, no unknown flags or bad count */
5731 return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP)
5732 - && !(ip->invflags & IPT_INV_PROTO)
5733 + && !(ip->flags & IPT_INV_PROTO)
5734 && matchsize == IPT_ALIGN(sizeof(struct ipt_multiport))
5735 && (multiinfo->flags == IPT_MULTIPORT_SOURCE
5736 || multiinfo->flags == IPT_MULTIPORT_DESTINATION
5737 diff -Nurb linux/net/ipv4/netfilter/ipt_pool.c linux.stock/net/ipv4/netfilter/ipt_pool.c
5738 --- linux/net/ipv4/netfilter/ipt_pool.c 2003-07-04 04:12:32.000000000 -0400
5739 +++ linux.stock/net/ipv4/netfilter/ipt_pool.c 1969-12-31 19:00:00.000000000 -0500
5741 -/* Kernel module to match an IP address pool. */
5743 -#include <linux/module.h>
5744 -#include <linux/ip.h>
5745 -#include <linux/skbuff.h>
5747 -#include <linux/netfilter_ipv4/ip_tables.h>
5748 -#include <linux/netfilter_ipv4/ip_pool.h>
5749 -#include <linux/netfilter_ipv4/ipt_pool.h>
5751 -static inline int match_pool(
5756 - if (ip_pool_match(index, ntohl(addr)))
5762 - const struct sk_buff *skb,
5763 - const struct net_device *in,
5764 - const struct net_device *out,
5765 - const void *matchinfo,
5768 - u_int16_t datalen,
5771 - const struct ipt_pool_info *info = matchinfo;
5772 - const struct iphdr *iph = skb->nh.iph;
5774 - if (info->src != IP_POOL_NONE && !match_pool(info->src, iph->saddr,
5775 - info->flags&IPT_POOL_INV_SRC))
5778 - if (info->dst != IP_POOL_NONE && !match_pool(info->dst, iph->daddr,
5779 - info->flags&IPT_POOL_INV_DST))
5785 -static int checkentry(
5786 - const char *tablename,
5787 - const struct ipt_ip *ip,
5789 - unsigned int matchsize,
5790 - unsigned int hook_mask
5792 - if (matchsize != IPT_ALIGN(sizeof(struct ipt_pool_info)))
5797 -static struct ipt_match pool_match
5798 -= { { NULL, NULL }, "pool", &match, &checkentry, NULL, THIS_MODULE };
5800 -static int __init init(void)
5802 - return ipt_register_match(&pool_match);
5805 -static void __exit fini(void)
5807 - ipt_unregister_match(&pool_match);
5812 diff -Nurb linux/net/ipv6/mcast.c linux.stock/net/ipv6/mcast.c
5813 --- linux/net/ipv6/mcast.c 2003-10-14 04:09:34.000000000 -0400
5814 +++ linux.stock/net/ipv6/mcast.c 2004-05-09 04:13:22.000000000 -0400
5817 * Pedro Roque <roque@di.fc.ul.pt>
5819 - * $Id: mcast.c,v 1.1.1.4 2003/10/14 08:09:34 sparq Exp $
5820 + * $Id: mcast.c,v 1.38 2001/08/15 07:36:31 davem Exp $
5822 * Based on linux/ipv4/igmp.c and linux/ipv4/ip_sockglue.c
5824 --- linux/include/linux/ppp-comp.h 2004-08-16 20:58:32.089851872 -0400
5825 +++ linux.stock/include/linux/ppp-comp.h 2004-08-16 20:59:48.217278744 -0400
5827 * OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS,
5830 - * $Id: ppp-comp.h,v 1.1.1.4 2003/10/14 08:09:26 sparq Exp $
5831 + * $Id: ppp-comp.h,v 1.6 1997/11/27 06:04:44 paulus Exp $
projects / openwrt.git / blob