netfilter-2.6/patch-o-matic-ng/trunk: include/linux/netfilter_ipv4/ip_conntrack_quake3.h net/ipv4/ne...

pluto cvs at pld-linux.org
Thu Jul 28 14:19:37 CEST 2005


Author: pluto
Date: Thu Jul 28 14:19:32 2005
New Revision: 6257

Added:
   netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_conntrack_quake3.h
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_conntrack_quake3.c
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_nat_quake3.c
Modified:
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
   netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
   netfilter-2.6/patch-o-matic-ng/trunk/status
Log:
- quake3-conntrack-nat.


Added: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_conntrack_quake3.h
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_conntrack_quake3.h	Thu Jul 28 14:19:32 2005
@@ -0,0 +1,22 @@
+#ifndef _IP_CT_QUAKE3
+#define _IP_CT_QUAKE3
+
+/* Don't confuse with 27960, often used as the Server Port */
+#define QUAKE3_MASTER_PORT 27950
+
+struct quake3_search {
+	const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */
+	const char *pattern;
+	size_t plen;
+}; 
+
+/* This structure is per expected connection */
+struct ip_ct_quake3_expect {
+};
+
+/* This structure exists only once per master */
+struct ip_ct_quake3_master {
+};
+
+extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp);
+#endif /* _IP_CT_QUAKE3 */

Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig	Thu Jul 28 14:19:32 2005
@@ -1168,5 +1168,23 @@
 	  
 
 
+config IP_NF_NAT_QUAKE3
+	tristate
+	depends on IP_NF_CONNTRACK!=n && IP_NF_NAT !=n
+	default IP_NF_NAT if IP_NF_QUAKE3=y
+	default m if IP_NF_QUAKE3=m
+
+config IP_NF_QUAKE3
+	tristate "Quake3 protocol support"
+	depends on IP_NF_CONNTRACK
+	help
+	  Quake III Arena  connection tracking helper. This module allows for a
+	  stricter firewall rulebase if one only allows traffic to a master
+	  server. Connections to Quake III server IP addresses and ports returned
+	  by the master server will be tracked automatically.
+	
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `Y'.
+
 endmenu
 

Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile	Thu Jul 28 14:19:32 2005
@@ -24,6 +24,7 @@
 obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o
 
 # connection tracking helpers
+obj-$(CONFIG_IP_NF_QUAKE3) += ip_conntrack_quake3.o
 obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o
 obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o
 obj-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda.o
@@ -38,6 +39,7 @@
 obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
 obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o
 obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
+obj-$(CONFIG_IP_NF_NAT_QUAKE3) += ip_nat_quake3.o
 
 # generic IP tables 
 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o

Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_conntrack_quake3.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_conntrack_quake3.c	Thu Jul 28 14:19:32 2005
@@ -0,0 +1,201 @@
+/* Quake3 extension for IP connection tracking
+ * (C) 2002 by Filip Sneppe <filip.sneppe at cronos.be>
+ * (C) 2005 by Harald Welte <laforge at netfilter.org>
+ * based on ip_conntrack_ftp.c and ip_conntrack_tftp.c
+ *
+ * ip_conntrack_quake3.c v0.04 2002-08-31
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ *
+ *      Module load syntax:
+ *      insmod ip_conntrack_quake3.o ports=port1,port2,...port<MAX_PORTS>
+ *
+ *      please give the ports of all Quake3 master servers You wish to 
+ *      connect to. If you don't specify ports, the default will be UDP 
+ *      port 27950.
+ *
+ *      Thanks to the Ethereal folks for their analysis of the Quake3 protocol.
+ */
+
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_quake3.h>
+
+MODULE_AUTHOR("Filip Sneppe <filip.sneppe at cronos.be>");
+MODULE_DESCRIPTION("Netfilter connection tracking module for Quake III Arena");
+MODULE_LICENSE("GPL");
+
+#define MAX_PORTS 8
+static int ports[MAX_PORTS];
+static int ports_c = 0;
+module_param_array(ports, int, &ports_c, 0400);
+MODULE_PARM_DESC(ports, "port numbers of Quake III master servers");
+
+static char quake3_buffer[65536];
+static DECLARE_LOCK(quake3_buffer_lock);
+
+static unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp);
+
+/* Quake3 master server reply will add > 100 expectations per reply packet; when
+   doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */
+#if 0 
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+struct quake3_search quake3s_conntrack = { "****", "getserversResponse", sizeof("getserversResponse") - 1 };
+
+static int quake3_help(struct sk_buff **pskb,
+	struct ip_conntrack *ct,
+	enum ip_conntrack_info ctinfo)
+{
+	struct udphdr _udph, *uh;
+	struct ip_conntrack_expect *exp;
+	void *data, *qb_ptr;
+	int dir = CTINFO2DIR(ctinfo);
+	int i, dataoff;
+	int ret = NF_ACCEPT;
+
+	
+	/* Until there's been traffic both ways, don't look in packets. note:
+	 * it's UDP ! */
+	if (ctinfo != IP_CT_ESTABLISHED
+	    && ctinfo != IP_CT_IS_REPLY) {
+	        DEBUGP("ip_conntrack_quake3: not ok ! Conntrackinfo = %u\n",
+			ctinfo);
+	        return NF_ACCEPT;
+	} else { 
+		DEBUGP("ip_conntrack_quake3: it's ok ! Conntrackinfo = %u\n",
+			ctinfo);
+	}
+
+	/* Valid UDP header? */
+	uh = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
+				sizeof(_udph), &_udph);
+	if (!uh)
+		return NF_ACCEPT;
+
+	/* Any data? */
+	dataoff = (*pskb)->nh.iph->ihl*4 + sizeof(struct udphdr);
+	if (dataoff >= (*pskb)->len)
+		return NF_ACCEPT;
+
+	LOCK_BH(&quake3_buffer_lock);
+	qb_ptr = skb_header_pointer(*pskb, dataoff,
+				    (*pskb)->len - dataoff, quake3_buffer);
+	BUG_ON(qb_ptr == NULL);
+	data = qb_ptr;
+
+	
+	if (strnicmp(data + 4, quake3s_conntrack.pattern, 
+		     quake3s_conntrack.plen) == 0) {
+		for(i=23;    /* 4 bytes filler, 18 bytes "getserversResponse", 
+				1 byte "\" */
+		    i+6 < ntohs(uh->len);
+		    i+=7) {
+			u_int32_t *ip = data+i;
+			u_int16_t *port = data+i+4;
+#if 0
+			DEBUGP("ip_conntrack_quake3: adding server at offset "
+			       "%u/%u %u.%u.%u.%u:%u\n", i, ntohs(uh->len),
+			       NIPQUAD(*ip), ntohs(*port));
+#endif
+
+			exp = ip_conntrack_expect_alloc();
+			if (!exp) { 
+				ret = NF_DROP;
+				goto out;
+			}
+
+			memset(exp, 0, sizeof(*exp));
+
+			exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
+			exp->tuple.dst.ip = *ip;
+			exp->tuple.dst.u.udp.port = *port;
+			exp->tuple.dst.protonum = IPPROTO_UDP;
+
+			exp->mask.src.ip = 0xffffffff;
+			exp->mask.dst.ip = 0xffffffff;
+			exp->mask.dst.u.udp.port = 0xffff;
+			exp->mask.dst.protonum = 0xff;
+
+			if (ip_nat_quake3_hook) 
+				ret = ip_nat_quake3_hook(exp);
+			else if (ip_conntrack_expect_related(exp) != 0) {
+				ip_conntrack_expect_free(exp);
+				ret = NF_DROP;
+			}
+			goto out;
+		}
+	}
+	
+out:
+	return ret;
+}
+
+static struct ip_conntrack_helper quake3[MAX_PORTS];
+static char quake3_names[MAX_PORTS][13];  /* quake3-65535 */
+
+static void fini(void)
+{
+	int i;
+
+	for(i = 0 ; (i < ports_c); i++) {
+		DEBUGP("ip_conntrack_quake3: unregistering helper for port %d\n",
+					ports[i]);
+		ip_conntrack_helper_unregister(&quake3[i]);
+	} 
+}
+
+static int __init init(void)
+{
+	int i, ret;
+	char *tmpname;
+
+	if(!ports[0])
+		ports[0]=QUAKE3_MASTER_PORT;
+
+	for(i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
+		/* Create helper structure */
+		memset(&quake3[i], 0, sizeof(struct ip_conntrack_helper));
+
+		quake3[i].tuple.dst.protonum = IPPROTO_UDP;
+		quake3[i].tuple.src.u.udp.port = htons(ports[i]);
+		quake3[i].mask.dst.protonum = 0xFF;
+		quake3[i].mask.src.u.udp.port = 0xFFFF;
+		quake3[i].help = quake3_help;
+		quake3[i].me = THIS_MODULE;
+		quake3[i].timeout = 120;
+
+		tmpname = &quake3_names[i][0];
+		if (ports[i] == QUAKE3_MASTER_PORT)
+			sprintf(tmpname, "quake3");
+		else
+			sprintf(tmpname, "quake3-%d", i);
+		quake3[i].name = tmpname;
+		
+		DEBUGP("ip_conntrack_quake3: registering helper for port %d\n",
+		       ports[i]);
+
+		ret=ip_conntrack_helper_register(&quake3[i]);
+		if(ret) {
+			fini();
+			return(ret);
+		}
+		ports_c++;
+	}
+
+	return(0);
+}
+
+module_init(init);
+module_exit(fini);

Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_nat_quake3.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_nat_quake3.c	Thu Jul 28 14:19:32 2005
@@ -0,0 +1,97 @@
+/* Quake3 extension for UDP NAT alteration.
+ * (C) 2002 by Filip Sneppe <filip.sneppe at cronos.be>
+ * (C) 2005 by Harald Welte <laforge at netfilter.org>
+ * based on ip_nat_ftp.c and ip_nat_tftp.c
+ *
+ * ip_nat_quake3.c v0.0.3 2002-08-31
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ *
+ *      Module load syntax:
+ *      insmod ip_nat_quake3.o ports=port1,port2,...port<MAX_PORTS>
+ *
+ *      please give the ports of all Quake3 master servers You wish to
+ *      connect to. If you don't specify ports, the default will be UDP
+ *      port 27950.
+ *
+ *      Thanks to the Ethereal folks for their analysis of the Quake3 protocol.
+ *
+ *      Notes: 
+ *      - If you're one of those people who would try anything to lower
+ *        latency while playing Quake (and who isn't :-) ), you may want to
+ *        consider not loading ip_nat_quake3 at all and just MASQUERADE all
+ *        outgoing UDP traffic.
+ *        This will make ip_conntrack_quake3 add the necessary expectations,
+ *        but there will be no overhead for client->server UDP streams. If
+ *        ip_nat_quake3 is loaded, quake3_nat_expected will be called per NAT
+ *        hook for every packet in the client->server UDP stream.
+ *      - Only SNAT/MASQUEARDE targets are useful for ip_nat_quake3.
+ *        The IP addresses in the master connection payload (=IP addresses
+ *        of Quake servers) have no relation with the master server so
+ *        DNAT'ing the master connection to a server should not change the
+ *        expected connections.
+ *      - Not tested due to lack of equipment:
+ *        - multiple Quake3 clients behind one MASQUERADE gateway
+ *        - what if Quake3 client is running on router too
+ */
+
+#include <linux/module.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_quake3.h>
+#include <linux/netfilter_ipv4/ip_nat_helper.h>
+
+MODULE_AUTHOR("Filip Sneppe <filip.sneppe at cronos.be>");
+MODULE_DESCRIPTION("Netfilter NAT helper for Quake III Arena");
+MODULE_LICENSE("GPL");
+
+/* Quake3 master server reply will add > 100 expectations per reply packet; when
+   doing lots of printk's, klogd may not be able to read /proc/kmsg fast enough */
+#if 0 
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+static unsigned int 
+quake3_nat_help(struct ip_conntrack_expect *exp)
+{
+	struct ip_conntrack *ct = exp->master;
+
+	/* What is this?  Why don't we try to alter the port? -HW */
+	exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
+	exp->saved_proto.udp.port = exp->tuple.dst.u.udp.port;
+	exp->expectfn = ip_nat_follow_master;
+	//exp->dir = !dir;
+
+	if (ip_conntrack_expect_related(exp) != 0) {
+		ip_conntrack_expect_free(exp);
+		return NF_DROP;
+	}
+
+	return NF_ACCEPT;
+}
+
+static void fini(void)
+{
+	ip_nat_quake3_hook = NULL;
+	synchronize_net();
+}
+
+static int __init init(void)
+{
+	BUG_ON(ip_nat_quake3_hook);
+	ip_nat_quake3_hook = quake3_nat_help;
+	return 0;
+}
+	
+module_init(init);
+module_exit(fini);

Modified: netfilter-2.6/patch-o-matic-ng/trunk/status
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/status	(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/status	Thu Jul 28 14:19:32 2005
@@ -29,6 +29,7 @@
 policy			2005/07/27	added
 pptp-conntrack-nat	2005/07/27	added		fix build warnings
 psd			2005/07/27	added
+quake3-conntrack-nat	2005/07/27	added
 quota			2005/07/27	added
 realm					updated
 recent					updated		(v0.3.2)



More information about the pld-cvs-commit mailing list