netfilter-2.6/patch-o-matic-ng/trunk: include/linux/netfilter_ipv4/ip_queue.h include/linux/netfilte...

pluto cvs at pld-linux.org
Thu Jul 28 11:04:18 CEST 2005


Author: pluto
Date: Thu Jul 28 11:04:10 2005
New Revision: 6248

Added:
   netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_IPMARK.h
   netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_HL.h
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPMARK.c
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_SET.c
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_HL.c
Modified:
   netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_queue.h
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_queue.c
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile
   netfilter-2.6/patch-o-matic-ng/trunk/status
Log:
- HOPLIMIT, IPMARK, ip_queue_vmark.


Modified: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_queue.h
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_queue.h	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_queue.h	Thu Jul 28 11:04:10 2005
@@ -47,10 +47,20 @@
 	unsigned char payload[0];	/* Optional replacement packet */
 } ipq_verdict_msg_t;
 
+typedef struct ipq_vwmark_msg {
+	unsigned int value;		/* Verdict to hand to netfilter */
+	unsigned long id;		/* Packet ID for this verdict */
+	size_t data_len;		/* Length of replacement data */
+	unsigned char payload[0];	/* Optional replacement packet */
+	unsigned long nfmark;		/* Mark for the Packet */
+} ipq_vwmark_msg_t;
+
+
 typedef struct ipq_peer_msg {
 	union {
 		ipq_verdict_msg_t verdict;
 		ipq_mode_msg_t mode;
+                ipq_vwmark_msg_t vwmark;
 	} msg;
 } ipq_peer_msg_t;
 
@@ -67,6 +77,7 @@
 #define IPQM_MODE	(IPQM_BASE + 1)		/* Mode request from peer */
 #define IPQM_VERDICT	(IPQM_BASE + 2)		/* Verdict from peer */ 
 #define IPQM_PACKET	(IPQM_BASE + 3)		/* Packet from kernel */
-#define IPQM_MAX	(IPQM_BASE + 4)
+#define IPQM_VWMARK	(IPQM_BASE + 4)		/* Verdict and mark from peer */
+#define IPQM_MAX	(IPQM_BASE + 5)
 
 #endif /*_IP_QUEUE_H*/

Added: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_IPMARK.h
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_IPMARK.h	Thu Jul 28 11:04:10 2005
@@ -0,0 +1,13 @@
+#ifndef _IPT_IPMARK_H_target
+#define _IPT_IPMARK_H_target
+
+struct ipt_ipmark_target_info {
+	unsigned long andmask;
+	unsigned long ormask;
+	unsigned int addr;
+};
+
+#define IPT_IPMARK_SRC    0
+#define IPT_IPMARK_DST    1
+
+#endif /*_IPT_IPMARK_H_target*/

Added: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_HL.h
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_HL.h	Thu Jul 28 11:04:10 2005
@@ -0,0 +1,22 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <solt at dns.toxicfilms.tv>
+ * Based on HW's TTL module */
+
+#ifndef _IP6T_HL_H
+#define _IP6T_HL_H
+
+enum {
+	IP6T_HL_SET = 0,
+	IP6T_HL_INC,
+	IP6T_HL_DEC
+};
+
+#define IP6T_HL_MAXMODE	IP6T_HL_DEC
+
+struct ip6t_HL_info {
+	u_int8_t	mode;
+	u_int8_t	hop_limit;
+};
+
+
+#endif

Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig	Thu Jul 28 11:04:10 2005
@@ -1015,5 +1015,17 @@
 	  If you want to compile it as a module, say M here and read
 	  Documentation/modules.txt.  If unsure, say `N'.
 
+config IP_NF_TARGET_IPMARK
+	tristate  'IPMARK target support'
+	depends on IP_NF_MANGLE
+	help
+	  This option adds a `IPMARK' target, which allows you to create rules
+	  in the `mangle' table which alter the netfilter mark (nfmark) field
+	  basing on the source or destination ip address of the packet.
+	  This is very useful for very fast massive mangling and marking.
+	
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
 endmenu
 

Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile	Thu Jul 28 11:04:10 2005
@@ -98,6 +98,7 @@
 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
 obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o
 obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
+obj-$(CONFIG_IP_NF_TARGET_IPMARK) += ipt_IPMARK.o
 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o

Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_queue.c
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_queue.c	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_queue.c	Thu Jul 28 11:04:10 2005
@@ -443,6 +443,33 @@
 }
 
 static int
+ipq_set_vwmark(struct ipq_vwmark_msg *vmsg, unsigned int len)
+{
+	struct ipq_queue_entry *entry;
+
+	if (vmsg->value > NF_MAX_VERDICT)
+		return -EINVAL;
+
+	entry = ipq_find_dequeue_entry(id_cmp, vmsg->id);
+	if (entry == NULL)
+		return -ENOENT;
+	else {
+		int verdict = vmsg->value;
+		
+		if (vmsg->data_len && vmsg->data_len == len)
+			if (ipq_mangle_ipv4((ipq_verdict_msg_t *)vmsg, entry) < 0)
+				verdict = NF_DROP;
+
+		/* set mark of associated skb */
+		entry->skb->nfmark = vmsg->nfmark;
+		
+		ipq_issue_verdict(entry, verdict);
+		return 0;
+	}
+}
+
+
+static int
 ipq_receive_peer(struct ipq_peer_msg *pmsg,
                  unsigned char type, unsigned int len)
 {
@@ -464,6 +491,14 @@
 			status = ipq_set_verdict(&pmsg->msg.verdict,
 			                         len - sizeof(*pmsg));
 			break;
+        case IPQM_VWMARK:
+		if (pmsg->msg.verdict.value > NF_MAX_VERDICT)
+			status = -EINVAL;
+		else
+			status = ipq_set_vwmark(&pmsg->msg.vwmark,
+			                         len - sizeof(*pmsg));
+			break;
+
 	default:
 		status = -EINVAL;
 	}

Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPMARK.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPMARK.c	Thu Jul 28 11:04:10 2005
@@ -0,0 +1,81 @@
+/* This is a module which is used for setting the NFMARK field of an skb. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_IPMARK.h>
+
+MODULE_AUTHOR("Grzegorz Janoszka <Grzegorz.Janoszka at pro.onet.pl>");
+MODULE_DESCRIPTION("IP tables IPMARK: mark based on ip address");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+	const struct ipt_ipmark_target_info *ipmarkinfo = targinfo;
+	struct iphdr *iph = (*pskb)->nh.iph;
+	unsigned long mark;
+
+	if (ipmarkinfo->addr == IPT_IPMARK_SRC)
+		mark = (unsigned long) ntohl(iph->saddr);
+	else
+		mark = (unsigned long) ntohl(iph->daddr);
+
+	mark &= ipmarkinfo->andmask;
+	mark |= ipmarkinfo->ormask;
+	
+	if ((*pskb)->nfmark != mark) {
+		(*pskb)->nfmark = mark;
+		(*pskb)->nfcache |= NFC_ALTERED;
+	}
+	return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+           void *targinfo,
+           unsigned int targinfosize,
+           unsigned int hook_mask)
+{
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ipmark_target_info))) {
+		printk(KERN_WARNING "IPMARK: targinfosize %u != %Zu\n",
+		       targinfosize,
+		       IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)));
+		return 0;
+	}
+
+	if (strcmp(tablename, "mangle") != 0) {
+		printk(KERN_WARNING "IPMARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+
+	return 1;
+}
+
+static struct ipt_target ipt_ipmark_reg = { 
+	.name = "IPMARK",
+	.target = target,
+	.checkentry = checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_ipmark_reg);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_ipmark_reg);
+}
+
+module_init(init);
+module_exit(fini);

Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_SET.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_SET.c	Thu Jul 28 11:04:10 2005
@@ -0,0 +1,128 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem at linux.nu>
+ *                         Patrick Schaaf <bof at bof.de>
+ *                         Martin Josefsson <gandalf at wlug.westbo.se>
+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.  
+ */
+
+/* ipt_SET.c - netfilter target to manipulate IP sets */
+
+#include <linux/types.h>
+#include <linux/ip.h>
+#include <linux/timer.h>
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/netdevice.h>
+#include <linux/if.h>
+#include <linux/inetdevice.h>
+#include <net/protocol.h>
+#include <net/checksum.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter_ipv4/ipt_set.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+	const struct ipt_set_info_target *info = targinfo;
+	
+	if (info->add_set.index != IP_SET_INVALID_ID)
+		ip_set_addip_kernel(info->add_set.index,
+				    *pskb,
+				    info->add_set.flags);
+	if (info->del_set.index != IP_SET_INVALID_ID)
+		ip_set_delip_kernel(info->del_set.index,
+				    *pskb,
+				    info->del_set.flags);
+
+	return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+	   void *targinfo,
+	   unsigned int targinfosize, unsigned int hook_mask)
+{
+	struct ipt_set_info_target *info = 
+		(struct ipt_set_info_target *) targinfo;
+	ip_set_id_t index;
+
+	if (targinfosize != IPT_ALIGN(sizeof(*info))) {
+		DP("bad target info size %u", targinfosize);
+		return 0;
+	}
+
+	if (info->add_set.index != IP_SET_INVALID_ID) {
+		index = ip_set_get_byindex(info->add_set.index);
+		if (index == IP_SET_INVALID_ID) {
+			ip_set_printk("cannot find add_set index %u as target",
+				      info->add_set.index);
+			return 0;	/* error */
+		}
+	}
+
+	if (info->del_set.index != IP_SET_INVALID_ID) {
+		index = ip_set_get_byindex(info->del_set.index);
+		if (index == IP_SET_INVALID_ID) {
+			ip_set_printk("cannot find del_set index %u as target",
+				      info->del_set.index);
+			return 0;	/* error */
+		}
+	}
+	if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
+	    || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+		ip_set_printk("That's nasty!");
+		return 0;	/* error */
+	}
+
+	return 1;
+}
+
+static void destroy(void *targetinfo, unsigned int targetsize)
+{
+	struct ipt_set_info_target *info = targetinfo;
+
+	if (targetsize != IPT_ALIGN(sizeof(struct ipt_set_info_target))) {
+		ip_set_printk("invalid targetsize %d", targetsize);
+		return;
+	}
+
+	if (info->add_set.index != IP_SET_INVALID_ID)
+		ip_set_put(info->add_set.index);
+	if (info->del_set.index != IP_SET_INVALID_ID)
+		ip_set_put(info->del_set.index);
+}
+
+static struct ipt_target SET_target = {
+	.name 		= "SET",
+	.target 	= target,
+	.checkentry 	= checkentry,
+	.destroy 	= destroy,
+	.me 		= THIS_MODULE
+};
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
+MODULE_DESCRIPTION("iptables IP set target module");
+
+static int __init init(void)
+{
+	return ipt_register_target(&SET_target);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&SET_target);
+}
+
+module_init(init);
+module_exit(fini);

Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig	Thu Jul 28 11:04:10 2005
@@ -296,5 +296,15 @@
 
          To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_TARGET_HL
+	tristate  'HL target support'
+	depends on IP6_NF_MANGLE
+	help
+	  This option adds a `HL' target, which allows you to modify the value of
+	  IPv6 Hop Limit field.
+	
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
 endmenu
 

Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile	Thu Jul 28 11:04:10 2005
@@ -24,6 +24,7 @@
 obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t_MARK.o
 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
+obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o
 
 obj-$(CONFIG_IP6_NF_MATCH_NTH) += ip6t_nth.o
 obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o

Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_HL.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_HL.c	Thu Jul 28 11:04:10 2005
@@ -0,0 +1,111 @@
+/* 
+ * Hop Limit modification target for ip6tables
+ * Maciej Soltysiak <solt at dns.toxicfilms.tv>
+ * Based on HW's TTL module
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_HL.h>
+
+MODULE_AUTHOR("Maciej Soltysiak <solt at dns.toxicfilms.tv>");
+MODULE_DESCRIPTION("IP tables Hop Limit modification module");
+MODULE_LICENSE("GPL");
+
+static unsigned int ip6t_hl_target(struct sk_buff **pskb, 
+				   const struct net_device *in,
+				   const struct net_device *out,
+				   unsigned int hooknum,
+				   const void *targinfo, void *userinfo)
+{
+	struct ipv6hdr *ip6h = (*pskb)->nh.ipv6h;
+	const struct ip6t_HL_info *info = targinfo;
+	u_int16_t diffs[2];
+	int new_hl;
+			 
+	switch (info->mode) {
+		case IP6T_HL_SET:
+			new_hl = info->hop_limit;
+			break;
+		case IP6T_HL_INC:
+			new_hl = ip6h->hop_limit + info->hop_limit;
+			if (new_hl > 255)
+				new_hl = 255;
+			break;
+		case IP6T_HL_DEC:
+			new_hl = ip6h->hop_limit - info->hop_limit;
+			if (new_hl < 0)
+				new_hl = 0;
+			break;
+		default:
+			new_hl = ip6h->hop_limit;
+			break;
+	}
+
+	if (new_hl != ip6h->hop_limit) {
+		diffs[0] = htons(((unsigned)ip6h->hop_limit) << 8) ^ 0xFFFF;
+		ip6h->hop_limit = new_hl;
+		diffs[1] = htons(((unsigned)ip6h->hop_limit) << 8);
+	}
+
+	return IP6T_CONTINUE;
+}
+
+static int ip6t_hl_checkentry(const char *tablename,
+		const struct ip6t_entry *e,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask)
+{
+	struct ip6t_HL_info *info = targinfo;
+
+	if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_HL_info))) {
+		printk(KERN_WARNING "HL: targinfosize %u != %Zu\n",
+				targinfosize,
+				IP6T_ALIGN(sizeof(struct ip6t_HL_info)));
+		return 0;	
+	}	
+
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "HL: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+
+	if (info->mode > IP6T_HL_MAXMODE) {
+		printk(KERN_WARNING "HL: invalid or unknown Mode %u\n", 
+			info->mode);
+		return 0;
+	}
+
+	if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) {
+		printk(KERN_WARNING "HL: increment/decrement doesn't make sense with value 0\n");
+		return 0;
+	}
+	
+	return 1;
+}
+
+static struct ip6t_target ip6t_HL = { 
+	.name 		= "HL", 
+	.target		= ip6t_hl_target, 
+	.checkentry	= ip6t_hl_checkentry, 
+	.me		= THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ip6t_register_target(&ip6t_HL);
+}
+
+static void __exit fini(void)
+{
+	ip6t_unregister_target(&ip6t_HL);
+}
+
+module_init(init);
+module_exit(fini);

Modified: netfilter-2.6/patch-o-matic-ng/trunk/status
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/status	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/status	Thu Jul 28 11:04:10 2005
@@ -13,10 +13,10 @@
 goto			2005/07/27	added
 h323-conntrack-nat	2005/07/27	updated
 hashlimit				updated
-HOPLIMIT				added
-IPMARK					added
+HOPLIMIT		2005/07/27	added
+IPMARK			2005/07/27	added
 ipp2p					added+updated	(v0.7.4)
-ip_queue_vmark				added
+ip_queue_vmark		2005/07/27	added
 iprange					updated
 ipv4options		2005/07/27	added
 IPV4OPTSSTRIP		2005/07/27	added



More information about the pld-cvs-commit mailing list