SOURCES (LINUX_2_6): kernel-pom-ng-IPV4OPTSSTRIP.patch (NEW), kern...
mguevara
mguevara at pld-linux.org
Wed May 30 13:53:35 CEST 2007
Author: mguevara Date: Wed May 30 11:53:35 2007 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- netfilter pom-ng and layer7 patches cleanup
- merge of layer7, conntrack_mms and connlimit patches
- new naming scheme applied
---- Files affected:
SOURCES:
kernel-pom-ng-IPV4OPTSSTRIP.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-ipv4options.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-set.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-u32.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-ROUTE.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-TARPIT.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-mms-conntrack-nat.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-rsh.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-IPMARK.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-connlimit.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-geoip.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-ipp2p.patch (NONE -> 1.1.2.1) (NEW), kernel-pom-ng-time.patch (NONE -> 1.1.2.1) (NEW), kernel-layer7.patch (NONE -> 1.1.2.1) (NEW), pom-ng-IPV4OPTSSTRIP-20061213.patch (1.1.2.5 -> NONE) (REMOVED), pom-ng-ipv4options-20061213.patch (1.1.2.3 -> NONE) (REMOVED), pom-ng-set-20061213.patch (1.1.2.3 -> NONE) (REMOVED), pom-ng-u32-20061213.patch (1.1.2.3 -> NONE) (REMOVED)
, pom-ng-ROUTE-20061213.patch (1.1.2.5 -> NONE) (REMOVED), pom-ng-TARPIT-20061213.patch (1.1.2.5 -> NONE) (REMOVED), pom-ng-mms-conntrack-nat-20061213.patch (1.1.2.4 -> NONE) (REMOVED), pom-ng-rsh-20061213.patch (1.1.2.2 -> NONE) (REMOVED), pom-ng-IPMARK-20061213.patch (1.1.2.5 -> NONE) (REMOVED), pom-ng-connlimit-20061213.patch (1.1.2.4 -> NONE) (REMOVED), pom-ng-geoip-20061213.patch (1.1.2.3 -> NONE) (REMOVED), pom-ng-ipp2p-20061213.patch (1.1.2.4 -> NONE) (REMOVED), pom-ng-time-20061213.patch (1.1.2.5 -> NONE) (REMOVED), nf_conntrack_mms.patch (1.1.2.2.2.1 -> NONE) (REMOVED), kernel-2.6.18-layer7-2.7.patch (1.1.2.2 -> NONE) (REMOVED), kernel-2.6.18-layer7-2.7-2.6.19-fix.patch (1.1.2.2 -> NONE) (REMOVED), pom-ng-connlimit-20061213_nf_conntrack_port.patch (1.1.2.1.2.1 -> NONE) (REMOVED), linux-2.6-layer7_nf_conntrack_port.patch (1.1.2.1.2.1 -> NONE) (REMOVED)
---- Diffs:
================================================================
Index: SOURCES/kernel-pom-ng-IPV4OPTSSTRIP.patch
diff -u /dev/null SOURCES/kernel-pom-ng-IPV4OPTSSTRIP.patch:1.1.2.1
--- /dev/null Wed May 30 13:53:35 2007
+++ SOURCES/kernel-pom-ng-IPV4OPTSSTRIP.patch Wed May 30 13:53:30 2007
@@ -0,0 +1,121 @@
+diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/Kconfig linux-2.6.21.a/net/ipv4/netfilter/Kconfig
+--- linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:11:52.000000000 +0200
++++ linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200
+@@ -668,5 +668,15 @@ config IP_NF_ARP_MANGLE
+ Allows altering the ARP packet payload: source and destination
+ hardware and network addresses.
+
++config IP_NF_TARGET_IPV4OPTSSTRIP
++ tristate 'IPV4OPTSSTRIP target support'
++ depends on IP_NF_MANGLE
++ help
++ This option adds an IPV4OPTSSTRIP target.
++ This target allows you to strip all IP options in a packet.
++
++ If you want to compile it as a module, say M here and read
++ Documentation/modules.txt. If unsure, say `N'.
++
+ endmenu
+
+diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/Makefile linux-2.6.21.a/net/ipv4/netfilter/Makefile
+--- linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:11:52.000000000 +0200
++++ linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:18:08.000000000 +0200
+@@ -103,6 +103,7 @@ obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt
+ obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
+ obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
+ obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
++obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
+ obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
+ obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
+ obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
+diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
+--- linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2007-05-30 11:18:08.000000000 +0200
+@@ -0,0 +1,87 @@
++/**
++ * Strip all IP options in the IP packet header.
++ *
++ * (C) 2001 by Fabrice MARIE <fabrice at netfilter.org>
++ * This software is distributed under GNU GPL v2, 1991
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <net/ip.h>
++#include <net/checksum.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++MODULE_AUTHOR("Fabrice MARIE <fabrice at netfilter.org>");
++MODULE_DESCRIPTION("Strip all options in IPv4 packets");
++MODULE_LICENSE("GPL");
++
++static unsigned int
++target(struct sk_buff **pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ unsigned int hooknum,
++ const struct xt_target *target,
++ const void *targinfo)
++{
++ struct iphdr *iph;
++ struct sk_buff *skb;
++ struct ip_options *opt;
++ unsigned char *optiph;
++ int l;
++
++ if (!skb_make_writable(pskb, (*pskb)->len))
++ return NF_DROP;
++
++ skb = (*pskb);
++ iph = (*pskb)->nh.iph;
++ optiph = skb->nh.raw;
++ l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
++
++ /* if no options in packet then nothing to clear. */
++ if (iph->ihl * 4 == sizeof(struct iphdr))
++ return IPT_CONTINUE;
++
++ /* else clear all options */
++ memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
++ memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
++ opt = &(IPCB(skb)->opt);
++ opt->is_data = 0;
++ opt->optlen = l;
++
++ return IPT_CONTINUE;
++}
++
++static int
++checkentry(const char *tablename,
++ const void *e,
++ const struct xt_target *target,
++ void *targinfo,
++ unsigned int hook_mask)
++{
++ if (strcmp(tablename, "mangle")) {
++ printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
++ return 0;
++ }
++ /* nothing else to check because no parameters */
++ return 1;
++}
++
++static struct ipt_target ipt_ipv4optsstrip_reg = {
++ .name = "IPV4OPTSSTRIP",
++ .target = target,
++ .checkentry = checkentry,
++ .me = THIS_MODULE };
++
++static int __init init(void)
++{
++ return xt_register_target(&ipt_ipv4optsstrip_reg);
++}
++
++static void __exit fini(void)
++{
++ xt_unregister_target(&ipt_ipv4optsstrip_reg);
++}
++
++module_init(init);
++module_exit(fini);
================================================================
Index: SOURCES/kernel-pom-ng-ipv4options.patch
diff -u /dev/null SOURCES/kernel-pom-ng-ipv4options.patch:1.1.2.1
--- /dev/null Wed May 30 13:53:35 2007
+++ SOURCES/kernel-pom-ng-ipv4options.patch Wed May 30 13:53:30 2007
@@ -0,0 +1,241 @@
+diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h
+--- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h 2007-05-30 11:22:30.000000000 +0200
+@@ -0,0 +1,21 @@
++#ifndef __ipt_ipv4options_h_included__
++#define __ipt_ipv4options_h_included__
++
++#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
++#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
++#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
++#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
++#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
++#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
++#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
++#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
++#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
++#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
++#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
++
++struct ipt_ipv4options_info {
++ u_int16_t options;
++};
++
++
++#endif /* __ipt_ipv4options_h_included__ */
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
+--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200
++++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:22:30.000000000 +0200
+@@ -678,5 +678,18 @@ config IP_NF_TARGET_IPV4OPTSSTRIP
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
++config IP_NF_MATCH_IPV4OPTIONS
++ tristate 'IPV4OPTIONS match support'
++ depends on IP_NF_IPTABLES
++ help
++ This option adds a IPV4OPTIONS match.
++ It allows you to filter options like source routing,
++ record route, timestamp and router-altert.
++
++ If you say Y here, try iptables -m ipv4options --help for more information.
++
++ If you want to compile it as a module, say M here and read
++ Documentation/modules.txt. If unsure, say `N'.
++
+ endmenu
+
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
+--- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:18:08.000000000 +0200
++++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:22:30.000000000 +0200
+@@ -86,6 +86,9 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
+ obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
+ obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
+ obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
++
++obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
++
+ obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
+ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
+ obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c
+--- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c 2007-05-30 11:22:30.000000000 +0200
+@@ -0,0 +1,177 @@
++/*
++ This is a module which is used to match ipv4 options.
++ This file is distributed under the terms of the GNU General Public
++ License (GPL). Copies of the GPL can be obtained from:
++ ftp://prep.ai.mit.edu/pub/gnu/GPL
++
++ 11-mars-2001 Fabrice MARIE <fabrice at netfilter.org> : initial development.
++ 12-july-2001 Fabrice MARIE <fabrice at netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
++ 12-august-2001 Imran Patel <ipatel at crosswinds.net> : optimization of the match.
++ 18-november-2001 Fabrice MARIE <fabrice at netfilter.org> : added [!] 'any' option match.
++ 19-february-2004 Harald Welte <laforge at netfilter.org> : merge with 2.6.x
++*/
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <net/ip.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_ipv4options.h>
++
++MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Fabrice Marie <fabrice at netfilter.org>");
++
++static int
++match(const struct sk_buff *skb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const struct xt_match *match,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
++{
++ const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
++ const struct iphdr *iph = skb->nh.iph;
++ const struct ip_options *opt;
++
++ if (iph->ihl * 4 == sizeof(struct iphdr)) {
++ /* No options, so we match only the "DONTs" and the "IGNOREs" */
++
++ if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
++ return 0;
++ return 1;
++ }
++ else {
++ if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
++ /* there are options, and we don't need to care which one */
++ return 1;
++ else {
++ if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
++ /* there are options but we don't want any ! */
++ return 0;
++ }
++ }
++
++ opt = &(IPCB(skb)->opt);
++
++ /* source routing */
++ if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
++ if (!((opt->srr) && (opt->is_strictroute)))
++ return 0;
++ }
++ else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
++ if (!((opt->srr) && (!opt->is_strictroute)))
++ return 0;
++ }
++ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
++ if (opt->srr)
++ return 0;
++ }
++ /* record route */
++ if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
++ if (!opt->rr)
++ return 0;
++ }
++ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
++ if (opt->rr)
++ return 0;
++ }
++ /* timestamp */
++ if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
++ if (!opt->ts)
++ return 0;
++ }
++ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
++ if (opt->ts)
++ return 0;
++ }
++ /* router-alert option */
++ if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
++ if (!opt->router_alert)
++ return 0;
++ }
++ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
++ if (opt->router_alert)
++ return 0;
++ }
++
++ /* we match ! */
++ return 1;
++}
++
++static int
++checkentry(const char *tablename,
++ const void *ip,
++ const struct xt_match *match,
++ void *matchinfo,
++
++ unsigned int hook_mask)
++{
++ const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
++
++
++
++ /* Now check the coherence of the data ... */
++ if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
++ (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
++ ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
++ ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
++ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
++ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
++ return 0; /* opposites */
++ if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
++ (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
++ return 0; /* opposites */
++ if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
++ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
++ return 0; /* cannot match in the same time loose and strict source routing */
++ if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
++ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
++ ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
++ return 0; /* opposites */
++ if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
++ ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
++ return 0; /* opposites */
++ if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
++ ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
++ return 0; /* opposites */
++ if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
++ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
++ return 0; /* opposites */
++
++ /* everything looks ok. */
++ return 1;
++}
++
++static struct xt_match ipv4options_match = {
++ .name = "ipv4options",
++ .family = AF_INET,
++ .match = match,
++ .matchsize = sizeof(struct ipt_ipv4options_info),
++ .checkentry = checkentry,
++ .me = THIS_MODULE
++};
++
++static int __init init(void)
++{
++ return xt_register_match(&ipv4options_match);
++}
++
++static void __exit fini(void)
++{
++ xt_unregister_match(&ipv4options_match);
++}
++
++module_init(init);
++module_exit(fini);
================================================================
Index: SOURCES/kernel-pom-ng-set.patch
diff -u /dev/null SOURCES/kernel-pom-ng-set.patch:1.1.2.1
--- /dev/null Wed May 30 13:53:35 2007
+++ SOURCES/kernel-pom-ng-set.patch Wed May 30 13:53:30 2007
@@ -0,0 +1,6599 @@
+diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ip_set.h linux-2.6.21.b/include/linux/netfilter_ipv4/ip_set.h
+--- linux-2.6.21.a/include/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.b/include/linux/netfilter_ipv4/ip_set.h 2007-05-30 11:36:07.000000000 +0200
+@@ -0,0 +1,498 @@
++#ifndef _IP_SET_H
++#define _IP_SET_H
++
++/* Copyright (C) 2000-2002 Joakim Axelsson <gozem at linux.nu>
++ * Patrick Schaaf <bof at bof.de>
++ * Martin Josefsson <gandalf at wlug.westbo.se>
++ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++
++#if 0
++#define IP_SET_DEBUG
++#endif
++
++/*
++ * A sockopt of such quality has hardly ever been seen before on the open
++ * market! This little beauty, hardly ever used: above 64, so it's
++ * traditionally used for firewalling, not touched (even once!) by the
++ * 2.0, 2.2 and 2.4 kernels!
++ *
++ * Comes with its own certificate of authenticity, valid anywhere in the
++ * Free world!
++ *
++ * Rusty, 19.4.2000
++ */
++#define SO_IP_SET 83
++
++/*
++ * Heavily modify by Joakim Axelsson 08.03.2002
++ * - Made it more modulebased
++ *
++ * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
++ * - bindings added
++ * - in order to "deal with" backward compatibility, renamed to ipset
++ */
++
++/*
++ * Used so that the kernel module and ipset-binary can match their versions
++ */
++#define IP_SET_PROTOCOL_VERSION 2
++
++#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
++
++/* Lets work with our own typedef for representing an IP address.
++ * We hope to make the code more portable, possibly to IPv6...
++ *
++ * The representation works in HOST byte order, because most set types
++ * will perform arithmetic operations and compare operations.
++ *
++ * For now the type is an uint32_t.
++ *
++ * Make sure to ONLY use the functions when translating and parsing
++ * in order to keep the host byte order and make it more portable:
++ * parse_ip()
++ * parse_mask()
++ * parse_ipandmask()
++ * ip_tostring()
++ * (Joakim: where are they???)
++ */
++
++typedef uint32_t ip_set_ip_t;
++
++/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
++ * and IP_SET_INVALID_ID if you want to increase the max number of sets.
++ */
++typedef uint16_t ip_set_id_t;
++
++#define IP_SET_INVALID_ID 65535
++
++/* How deep we follow bindings */
++#define IP_SET_MAX_BINDINGS 6
++
++/*
++ * Option flags for kernel operations (ipt_set_info)
++ */
++#define IPSET_SRC 0x01 /* Source match/add */
++#define IPSET_DST 0x02 /* Destination match/add */
++#define IPSET_MATCH_INV 0x04 /* Inverse matching */
++
++/*
++ * Set features
++ */
++#define IPSET_TYPE_IP 0x01 /* IP address type of set */
++#define IPSET_TYPE_PORT 0x02 /* Port type of set */
++#define IPSET_DATA_SINGLE 0x04 /* Single data storage */
++#define IPSET_DATA_DOUBLE 0x08 /* Double data storage */
++
++/* Reserved keywords */
++#define IPSET_TOKEN_DEFAULT ":default:"
++#define IPSET_TOKEN_ALL ":all:"
++
++/* SO_IP_SET operation constants, and their request struct types.
++ *
++ * Operation ids:
++ * 0-99: commands with version checking
++ * 100-199: add/del/test/bind/unbind
++ * 200-299: list, save, restore
++ */
++
++/* Single shot operations:
++ * version, create, destroy, flush, rename and swap
++ *
++ * Sets are identified by name.
++ */
++
++#define IP_SET_REQ_STD \
++ unsigned op; \
++ unsigned version; \
++ char name[IP_SET_MAXNAMELEN]
++
++#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
++struct ip_set_req_create {
++ IP_SET_REQ_STD;
++ char typename[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
++struct ip_set_req_std {
++ IP_SET_REQ_STD;
++};
++
++#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
++/* Uses ip_set_req_std */
++
++#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
++/* Uses ip_set_req_create */
++
++#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
++/* Uses ip_set_req_create */
++
++union ip_set_name_index {
++ char name[IP_SET_MAXNAMELEN];
++ ip_set_id_t index;
++};
++
++#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
++struct ip_set_req_get_set {
++ unsigned op;
++ unsigned version;
++ union ip_set_name_index set;
++};
++
++#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
++/* Uses ip_set_req_get_set */
++
++#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
++struct ip_set_req_version {
++ unsigned op;
++ unsigned version;
++};
++
++/* Double shots operations:
++ * add, del, test, bind and unbind.
++ *
++ * First we query the kernel to get the index and type of the target set,
++ * then issue the command. Validity of IP is checked in kernel in order
++ * to minimalize sockopt operations.
++ */
++
++/* Get minimal set data for add/del/test/bind/unbind IP */
++#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
++struct ip_set_req_adt_get {
++ unsigned op;
++ unsigned version;
++ union ip_set_name_index set;
++ char typename[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_REQ_BYINDEX \
++ unsigned op; \
++ ip_set_id_t index;
++
++struct ip_set_req_adt {
++ IP_SET_REQ_BYINDEX;
++};
++
++#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
++/* Uses ip_set_req_bind, with type specific addage */
++struct ip_set_req_bind {
++ IP_SET_REQ_BYINDEX;
++ char binding[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
++/* Uses ip_set_req_bind, with type speficic addage
++ * index = 0 means unbinding for all sets */
++
++#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
++/* Uses ip_set_req_bind, with type specific addage */
++
++/* Multiple shots operations: list, save, restore.
++ *
++ * - check kernel version and query the max number of sets
++ * - get the basic information on all sets
++ * and size required for the next step
++ * - get actual set data: header, data, bindings
++ */
++
++/* Get max_sets and the index of a queried set
++ */
++#define IP_SET_OP_MAX_SETS 0x00000020
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list