SOURCES: kernel-desktop-pom-ng-geoip.patch (NEW), kernel-desktop-p...
adamg
adamg at pld-linux.org
Sat Aug 18 19:43:53 CEST 2007
Author: adamg Date: Sat Aug 18 17:43:53 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- netfilter update (taken from kernel.spec:LINUX_2_6)
---- Files affected:
SOURCES:
kernel-desktop-pom-ng-geoip.patch (NONE -> 1.1) (NEW), kernel-desktop-pom-ng-mms-conntrack-nat.patch (NONE -> 1.1) (NEW), kernel-desktop-pom-ng-rsh.patch (NONE -> 1.1) (NEW), kernel-desktop-ipt_account.patch (NONE -> 1.1) (NEW), kernel-desktop-ipt_ACCOUNT.patch (NONE -> 1.1) (NEW), kernel-desktop-layer7.patch (NONE -> 1.1) (NEW), kernel-desktop-pom-ng-connlimit.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-IPMARK.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-ipp2p.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-ipv4options.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-IPV4OPTSSTRIP.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-ROUTE.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-rpc.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-set.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-TARPIT.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-time.patch (1.1 -> 1.2) , kernel-desktop-pom-ng-u32.patch (1.1 -> 1.2)
---- Diffs:
================================================================
Index: SOURCES/kernel-desktop-pom-ng-geoip.patch
diff -u /dev/null SOURCES/kernel-desktop-pom-ng-geoip.patch:1.1
--- /dev/null Sat Aug 18 19:43:53 2007
+++ SOURCES/kernel-desktop-pom-ng-geoip.patch Sat Aug 18 19:43:48 2007
@@ -0,0 +1,396 @@
+diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_geoip.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_geoip.h
+--- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_geoip.h 2007-05-30 12:08:43.000000000 +0200
+@@ -0,0 +1,50 @@
++/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * Copyright (c) 2004, 2005, 2006 Samuel Jean & Nicolas Bouliane
++ */
++#ifndef _IPT_GEOIP_H
++#define _IPT_GEOIP_H
++
++#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */
++#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */
++#define IPT_GEOIP_INV 0x04 /* Negate the condition */
++
++#define IPT_GEOIP_MAX 15 /* Maximum of countries */
++
++struct geoip_subnet {
++ u_int32_t begin;
++ u_int32_t end;
++};
++
++struct geoip_info {
++ struct geoip_subnet *subnets;
++ u_int32_t count;
++ u_int32_t ref;
++ u_int16_t cc;
++ struct geoip_info *next;
++ struct geoip_info *prev;
++};
++
++struct ipt_geoip_info {
++ u_int8_t flags;
++ u_int8_t count;
++ u_int16_t cc[IPT_GEOIP_MAX];
++
++ /* Used internally by the kernel */
++ struct geoip_info *mem[IPT_GEOIP_MAX];
++ u_int8_t *refcount;
++
++ /* not implemented yet:
++ void *fini;
++ */
++};
++
++#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
++
++#endif
++
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
+--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 12:07:14.000000000 +0200
++++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 12:08:43.000000000 +0200
+@@ -921,5 +921,21 @@ config IP_NF_MATCH_CONNLIMIT
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
++config IP_NF_MATCH_GEOIP
++ tristate 'geoip match support'
++ depends on IP_NF_IPTABLES
++ help
++ This option allows you to match a packet by its source or
++ destination country. Basically, you need a country's
++ database containing all subnets and associated countries.
++
++ For the complete procedure and understanding, read :
++ http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
++
++ If you want to compile it as a module, say M here and read
++ <file:Documentation/modules.txt>. The module will be
++ called `ipt_geoip'. If unsure, say `N'.
++
++
+ endmenu
+
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
+--- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 12:07:14.000000000 +0200
++++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 12:08:43.000000000 +0200
+@@ -95,6 +95,7 @@ obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += i
+ obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
+
+ obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
++obj-$(CONFIG_IP_NF_MATCH_GEOIP) += ipt_geoip.o
+ obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o
+ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
+ obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_geoip.c linux-2.6.21.b/net/ipv4/netfilter/ipt_geoip.c
+--- linux-2.6.21.a/net/ipv4/netfilter/ipt_geoip.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.b/net/ipv4/netfilter/ipt_geoip.c 2007-05-30 12:08:43.000000000 +0200
+@@ -0,0 +1,302 @@
++/* iptables kernel module for the geoip match
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * Copyright (c) 2004, 2005, 2006 Samuel Jean & Nicolas Bouliane
++ */
++#include <linux/module.h>
++#include <linux/kernel.h>
++#include <linux/version.h>
++#include <linux/skbuff.h>
++#include <linux/netdevice.h>
++#include <asm/uaccess.h>
++#include <asm/atomic.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter_ipv4/ipt_geoip.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Samuel Jean, Nicolas Bouliane");
++MODULE_DESCRIPTION("iptables module for geoip match");
++
++struct geoip_info *head = NULL;
++static spinlock_t geoip_lock = SPIN_LOCK_UNLOCKED;
++
++static struct geoip_info *add_node(struct geoip_info *memcpy)
++{
++ struct geoip_info *p =
++ (struct geoip_info *)kmalloc(sizeof(struct geoip_info), GFP_KERNEL);
++
++ struct geoip_subnet *s;
++
++ if ((p == NULL) || (copy_from_user(p, memcpy, sizeof(struct geoip_info)) != 0))
++ return NULL;
++
++ s = (struct geoip_subnet *)kmalloc(p->count * sizeof(struct geoip_subnet), GFP_KERNEL);
++ if ((s == NULL) || (copy_from_user(s, p->subnets, p->count * sizeof(struct geoip_subnet)) != 0))
++ return NULL;
++
++ spin_lock_bh(&geoip_lock);
++
++ p->subnets = s;
++ p->ref = 1;
++ p->next = head;
++ p->prev = NULL;
++ if (p->next) p->next->prev = p;
++ head = p;
++
++ spin_unlock_bh(&geoip_lock);
++ return p;
++}
++
++static void remove_node(struct geoip_info *p)
++ {
++ spin_lock_bh(&geoip_lock);
++
++ if (p->next) { /* Am I following a node ? */
++ p->next->prev = p->prev;
++ if (p->prev) p->prev->next = p->next; /* Is there a node behind me ? */
++ else head = p->next; /* No? Then I was the head */
++ }
++
++ else
++ if (p->prev) /* Is there a node behind me ? */
++ p->prev->next = NULL;
++ else
++ head = NULL; /* No, we're alone */
++
++ /* So now am unlinked or the only one alive, right ?
++ * What are you waiting ? Free up some memory!
++ */
++
++ kfree(p->subnets);
++ kfree(p);
++
++ spin_unlock_bh(&geoip_lock);
++ return;
++}
++
++static struct geoip_info *find_node(u_int16_t cc)
++{
++ struct geoip_info *p = head;
++ spin_lock_bh(&geoip_lock);
++
++ while (p) {
++ if (p->cc == cc) {
++ spin_unlock_bh(&geoip_lock);
++ return p;
++ }
++ p = p->next;
++ }
++ spin_unlock_bh(&geoip_lock);
++ return NULL;
++}
++
++static int match(const struct sk_buff *skb,
++ const struct net_device *in,
++ const struct net_device *out,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
++ const struct xt_match *match,
++#endif
++ const void *matchinfo,
++ int offset,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
++ unsigned int protoff,
++#endif
++ int *hotdrop)
++{
++ const struct ipt_geoip_info *info = matchinfo;
++ const struct geoip_info *node; /* This keeps the code sexy */
++ const struct iphdr *iph = ip_hdr(skb);
++ u_int32_t ip, j;
++ u_int8_t i;
++
++ if (info->flags & IPT_GEOIP_SRC)
++ ip = ntohl(iph->saddr);
++ else
++ ip = ntohl(iph->daddr);
++
++ spin_lock_bh(&geoip_lock);
++ for (i = 0; i < info->count; i++) {
++ if ((node = info->mem[i]) == NULL) {
++ printk(KERN_ERR "ipt_geoip: what the hell ?? '%c%c' isn't loaded into memory... skip it!\n",
++ COUNTRY(info->cc[i]));
++
++ continue;
++ }
++
++ for (j = 0; j < node->count; j++)
++ if ((ip > node->subnets[j].begin) && (ip < node->subnets[j].end)) {
++ spin_unlock_bh(&geoip_lock);
++ return (info->flags & IPT_GEOIP_INV) ? 0 : 1;
++ }
++ }
++
++ spin_unlock_bh(&geoip_lock);
++ return (info->flags & IPT_GEOIP_INV) ? 1 : 0;
++}
++
++static int geoip_checkentry(const char *tablename,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
++ const void *ip,
++#else
++ const struct ipt_ip *ip,
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
++ const struct xt_match *match,
++#endif
++ void *matchinfo,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
++ unsigned int matchsize,
++#endif
++ unsigned int hook_mask)
++{
++ struct ipt_geoip_info *info = matchinfo;
++ struct geoip_info *node;
++ u_int8_t i;
++
++ /* FIXME: Call a function to free userspace allocated memory.
++ * As Martin J. said; this match might eat lot of memory
++ * if commited with iptables-restore --noflush
++ void (*gfree)(struct geoip_info *oldmem);
++ gfree = info->fini;
++ */
++
++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_geoip_info))) {
++ printk(KERN_ERR "ipt_geoip: matchsize differ, you may have forgotten to recompile me\n");
++ return 0;
++ }
++#endif
++
++ /* If info->refcount isn't NULL, then
++ * it means that checkentry() already
++ * initialized this entry. Increase a
++ * refcount to prevent destroy() of
++ * this entry. */
++ if (info->refcount != NULL) {
++ atomic_inc((atomic_t *)info->refcount);
++ return 1;
++ }
++
++
++ for (i = 0; i < info->count; i++) {
++
++ if ((node = find_node(info->cc[i])) != NULL)
++ atomic_inc((atomic_t *)&node->ref); //increase the reference
++ else
++ if ((node = add_node(info->mem[i])) == NULL) {
++ printk(KERN_ERR
++ "ipt_geoip: unable to load '%c%c' into memory\n",
++ COUNTRY(info->cc[i]));
++ return 0;
++ }
++
++ /* Free userspace allocated memory for that country.
++ * FIXME: It's a bit odd to call this function everytime
++ * we process a country. Would be nice to call
++ * it once after all countries've been processed.
++ * - SJ
++ * *not implemented for now*
++ gfree(info->mem[i]);
++ */
++
++ /* Overwrite the now-useless pointer info->mem[i] with
++ * a pointer to the node's kernelspace structure.
++ * This avoids searching for a node in the match() and
++ * destroy() functions.
++ */
++ info->mem[i] = node;
++ }
++
++ /* We allocate some memory and give info->refcount a pointer
++ * to this memory. This prevents checkentry() from increasing a refcount
++ * different from the one used by destroy().
++ * For explanation, see http://www.mail-archive.com/netfilter-devel@lists.samba.org/msg00625.html
++ */
++ info->refcount = kmalloc(sizeof(u_int8_t), GFP_KERNEL);
++ if (info->refcount == NULL) {
++ printk(KERN_ERR "ipt_geoip: failed to allocate `refcount' memory\n");
++ return 0;
++ }
++ *(info->refcount) = 1;
++
++ return 1;
++}
++
++static void geoip_destroy(
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
++ const struct xt_match *match, void *matchinfo)
++#else
++ void *matchinfo, unsigned int matchsize)
++#endif
++{
++ u_int8_t i;
++ struct geoip_info *node; /* this keeps the code sexy */
++
++ struct ipt_geoip_info *info = matchinfo;
++ /* Decrease the previously increased refcount in checkentry()
++ * If it's equal to 1, we know this entry is just moving
++ * but not removed. We simply return to avoid useless destroy()
++ * processing.
++ */
++ atomic_dec((atomic_t *)info->refcount);
++ if (*info->refcount)
++ return;
++
++ /* Don't leak my memory, you idiot.
++ * Bug found with nfsim.. the netfilter's best
++ * friend. --peejix */
++ kfree(info->refcount);
++
++ /* This entry has been removed from the table so
++ * decrease the refcount of all countries it is
++ * using.
++ */
++
++ for (i = 0; i < info->count; i++)
++ if ((node = info->mem[i]) != NULL) {
++ atomic_dec((atomic_t *)&node->ref);
++
++ /* Free up some memory if that node isn't used
++ * anymore. */
++ if (node->ref < 1)
++ remove_node(node);
++ }
++ else
++ /* Something strange happened. There's no memory allocated for this
++ * country. Please send this bug to the mailing list. */
++ printk(KERN_ERR
++ "ipt_geoip: What happened peejix ? What happened acidmen ?\n"
++ "ipt_geoip: please report this bug to the maintainers\n");
++ return;
++}
++
++static struct xt_match geoip_match = {
++ .name = "geoip",
++ .family = AF_INET,
++ .match = &match,
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
++ .matchsize = sizeof (struct ipt_geoip_info),
++#endif
++ .checkentry = &geoip_checkentry,
++ .destroy = &geoip_destroy,
++ .me = THIS_MODULE
++};
++
++static int __init init(void)
++{
++ return xt_register_match(&geoip_match);
++}
++
++static void __exit fini(void)
++{
++ xt_unregister_match(&geoip_match);
++ return;
++}
++
++module_init(init);
++module_exit(fini);
================================================================
Index: SOURCES/kernel-desktop-pom-ng-mms-conntrack-nat.patch
diff -u /dev/null SOURCES/kernel-desktop-pom-ng-mms-conntrack-nat.patch:1.1
--- /dev/null Sat Aug 18 19:43:53 2007
+++ SOURCES/kernel-desktop-pom-ng-mms-conntrack-nat.patch Sat Aug 18 19:43:48 2007
@@ -0,0 +1,756 @@
+diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter/nf_conntrack_mms.h linux-2.6.21.b/include/linux/netfilter/nf_conntrack_mms.h
+--- linux-2.6.21.a/include/linux/netfilter/nf_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.b/include/linux/netfilter/nf_conntrack_mms.h 2007-05-30 11:50:55.000000000 +0200
+@@ -0,0 +1,34 @@
++#ifndef _IP_CONNTRACK_MMS_H
++#define _IP_CONNTRACK_MMS_H
++/* MMS tracking. */
++
++#ifdef __KERNEL__
++
++#define MMS_PORT 1755
++#define MMS_SRV_MSG_ID 196610
++
++#define MMS_SRV_MSG_OFFSET 36
++#define MMS_SRV_UNICODE_STRING_OFFSET 60
++#define MMS_SRV_CHUNKLENLV_OFFSET 16
++#define MMS_SRV_CHUNKLENLM_OFFSET 32
++#define MMS_SRV_MESSAGELENGTH_OFFSET 8
++
++/* This structure is per expected connection */
++struct nf_ct_mms_expect {
++ u_int32_t offset;
++ u_int32_t len;
++ u_int32_t padding;
++ u_int16_t port;
++};
++
++/* This structure exists only once per master */
++struct nf_ct_mms_master {
++};
++
++struct nf_conntrack_expect;
++extern unsigned int (*nf_nat_mms_hook)(struct sk_buff **pskb,
++ enum ip_conntrack_info ctinfo,
++ const struct nf_ct_mms_expect *exp_mms_info,
++ struct nf_conntrack_expect *exp);
++#endif
++#endif /* _IP_CONNTRACK_MMS_H */
+diff -NurpP --minimal linux-2.6.21.a/include/net/netfilter/nf_conntrack.h linux-2.6.21.b/include/net/netfilter/nf_conntrack.h
+--- linux-2.6.21.a/include/net/netfilter/nf_conntrack.h 2007-05-30 11:14:07.000000000 +0200
++++ linux-2.6.21.b/include/net/netfilter/nf_conntrack.h 2007-05-30 11:50:55.000000000 +0200
+@@ -46,6 +46,7 @@ union nf_conntrack_expect_proto {
+ #include <linux/netfilter/nf_conntrack_pptp.h>
+ #include <linux/netfilter/nf_conntrack_h323.h>
+ #include <linux/netfilter/nf_conntrack_sane.h>
++#include <linux/netfilter/nf_conntrack_mms.h>
+
+ /* per conntrack: application helper private data */
+ union nf_conntrack_help {
+@@ -54,6 +55,7 @@ union nf_conntrack_help {
+ struct nf_ct_pptp_master ct_pptp_info;
+ struct nf_ct_h323_master ct_h323_info;
+ struct nf_ct_sane_master ct_sane_info;
++ struct nf_ct_mms_master ct_mms_info;
+ };
+
+ #include <linux/types.h>
+diff -NurpP --minimal linux-2.6.21.a/include/net/netfilter/nf_conntrack_mms.h linux-2.6.21.b/include/net/netfilter/nf_conntrack_mms.h
+--- linux-2.6.21.a/include/net/netfilter/nf_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.b/include/net/netfilter/nf_conntrack_mms.h 2007-05-30 11:50:55.000000000 +0200
+@@ -0,0 +1,34 @@
++#ifndef _IP_CONNTRACK_MMS_H
++#define _IP_CONNTRACK_MMS_H
++/* MMS tracking. */
++
++#ifdef __KERNEL__
++
++#define MMS_PORT 1755
++#define MMS_SRV_MSG_ID 196610
++
++#define MMS_SRV_MSG_OFFSET 36
++#define MMS_SRV_UNICODE_STRING_OFFSET 60
++#define MMS_SRV_CHUNKLENLV_OFFSET 16
++#define MMS_SRV_CHUNKLENLM_OFFSET 32
++#define MMS_SRV_MESSAGELENGTH_OFFSET 8
++
++/* This structure is per expected connection */
++struct nf_ct_mms_expect {
++ u_int32_t offset;
++ u_int32_t len;
++ u_int32_t padding;
++ u_int16_t port;
++};
++
++/* This structure exists only once per master */
++struct nf_ct_mms_master {
++};
++
++struct nf_conntrack_expect;
++extern unsigned int (*nf_nat_mms_hook)(struct sk_buff **pskb,
++ enum ip_conntrack_info ctinfo,
++ const struct nf_ct_mms_expect *exp_mms_info,
++ struct nf_conntrack_expect *exp);
++#endif
++#endif /* _IP_CONNTRACK_MMS_H */
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
+--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:44:12.000000000 +0200
++++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:50:55.000000000 +0200
+@@ -543,6 +543,11 @@ config NF_NAT_H323
+ depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
+ default NF_NAT && NF_CONNTRACK_H323
+
++config NF_NAT_MMS
++ tristate
++ depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
++ default NF_NAT && NF_CONNTRACK_MMS
++
+ config NF_NAT_SIP
+ tristate
+ depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
+@@ -847,5 +852,23 @@ config IP_NF_TARGET_TARPIT
+ hardware or IPs. Any TCP port that you would normally DROP or REJECT
+ can instead become a tarpit.
+
++config IP_NF_NAT_MMS
++ tristate
++ depends on IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
++ default IP_NF_NAT if IP_NF_MMS=y
++ default m if IP_NF_MMS=m
++
++config IP_NF_MMS
++ tristate 'MMS protocol support'
++ depends on IP_NF_CONNTRACK
++ help
++ Tracking MMS (Microsoft Windows Media Services) connections
++ could be problematic if random ports are used to send the
++ streaming content. This option allows users to track streaming
++ connections over random UDP or TCP ports.
++
++ If you want to compile it as a module, say M here and read
++ <file:Documentation/modules.txt>. If unsure, say `Y'.
++
+ endmenu
+
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
+--- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:44:12.000000000 +0200
++++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:50:55.000000000 +0200
+@@ -62,6 +64,7 @@ obj-$(CONFIG_IP_NF_NAT_SIP) += ip_nat_si
+ # NAT helpers (nf_conntrack)
+ obj-$(CONFIG_NF_NAT_AMANDA) += nf_nat_amanda.o
+ obj-$(CONFIG_NF_NAT_FTP) += nf_nat_ftp.o
++obj-$(CONFIG_NF_NAT_MMS) += nf_nat_mms.o
+ obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
+ obj-$(CONFIG_NF_NAT_IRC) += nf_nat_irc.o
+ obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
+diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/nf_nat_mms.c linux-2.6.21.b/net/ipv4/netfilter/nf_nat_mms.c
+--- linux-2.6.21.a/net/ipv4/netfilter/nf_nat_mms.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.b/net/ipv4/netfilter/nf_nat_mms.c 2007-05-30 11:50:55.000000000 +0200
+@@ -0,0 +1,196 @@
++/* MMS extension for TCP NAT alteration.
++ * (C) 2002 by Filip Sneppe <filip.sneppe at cronos.be>
++ * based on ip_nat_ftp.c and ip_nat_irc.c
++ *
++ * ip_nat_mms.c v0.3 2002-09-22
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version
++ * 2 of the License, or (at your option) any later version.
++ *
++ * Module load syntax:
++ * insmod ip_nat_mms.o ports=port1,port2,...port<MAX_PORTS>
++ *
++ * Please give the ports of all MMS servers You wish to connect to.
++ * If you don't specify ports, the default will be TCP port 1755.
++ *
++ * More info on MMS protocol, firewalls and NAT:
++ * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp
++ * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp
++ *
++ * The SDP project people are reverse-engineering MMS:
++ * http://get.to/sdp
++ *
++ * 2005-02-13: Harald Welte <laforge at netfilter.org>
++ * - port to 2.6.x
++ * - update to work with post 2.6.11 helper API changes
++ *
++ * 2007-03-30: Marek Guevara Braun <mguevara at pld-linux.org>
++ * - port to nf_conntrack
++ */
++
++/* FIXME: issue with UDP & fragmentation with this URL:
++ http://www.cnn.com/video/world/2002/01/21/jb.shoe.bomb.cafe.cnn.low.asx
++ may be related to out-of-order first packets:
++ basically the expectation is set up correctly, then the server sends
++ a first UDP packet which is fragmented plus arrives out-of-order.
++ the MASQUERADING firewall with ip_nat_mms loaded responds with
++ an ICMP unreachable back to the server */
++
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-connlimit.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-IPMARK.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-ipp2p.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-ipv4options.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-IPV4OPTSSTRIP.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-ROUTE.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-rpc.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-set.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-TARPIT.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-time.patch?r1=1.1&r2=1.2&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-pom-ng-u32.patch?r1=1.1&r2=1.2&f=u
More information about the pld-cvs-commit
mailing list