SOURCES: iptables-20070806.patch - connlimit, time and u32 present...
zbyniu
zbyniu at pld-linux.org
Wed Apr 9 19:15:45 CEST 2008
Author: zbyniu Date: Wed Apr 9 17:15:45 2008 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- connlimit, time and u32 present in official 1.4.0
---- Files affected:
SOURCES:
iptables-20070806.patch (1.5 -> 1.6)
---- Diffs:
================================================================
Index: SOURCES/iptables-20070806.patch
diff -u SOURCES/iptables-20070806.patch:1.5 SOURCES/iptables-20070806.patch:1.6
--- SOURCES/iptables-20070806.patch:1.5 Sun Feb 3 00:36:28 2008
+++ SOURCES/iptables-20070806.patch Wed Apr 9 19:15:40 2008
@@ -25,12 +25,6 @@
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_TARPIT.c ] && echo TARPIT
-diff -urN iptables-1.3.8/extensions/.connlimit-test iptables/extensions/.connlimit-test
---- iptables-1.3.8/extensions/.connlimit-test 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/.connlimit-test 2007-03-07 13:26:10.000000000 +0100
-@@ -0,0 +1,2 @@
-+#! /bin/sh
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connlimit.h ] && echo connlimit
diff -urN iptables-1.3.8/extensions/.geoip-test iptables/extensions/.geoip-test
--- iptables-1.3.8/extensions/.geoip-test 1970-01-01 01:00:00.000000000 +0100
+++ iptables/extensions/.geoip-test 2006-05-06 13:18:20.000000000 +0200
@@ -51,20 +45,6 @@
+#!/bin/sh
+# True if ipv4options is applied.
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipv4options.h ] && echo ipv4options
-diff -urN iptables-1.3.8/extensions/.time-test iptables/extensions/.time-test
---- iptables-1.3.8/extensions/.time-test 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/.time-test 2006-12-04 12:15:20.000000000 +0100
-@@ -0,0 +1,3 @@
-+#!/bin/sh
-+# True if time is applied.
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_time.h ] && echo time
-diff -urN iptables-1.3.8/extensions/.u32-test iptables/extensions/.u32-test
---- iptables-1.3.8/extensions/.u32-test 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/.u32-test 2006-12-12 11:34:45.000000000 +0100
-@@ -0,0 +1,3 @@
-+#!/bin/sh
-+# True if u32 is applied.
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_u32.h ] && echo u32
diff -urN iptables-1.3.8/extensions/libipt_ACCOUNT.c iptables/extensions/libipt_ACCOUNT.c
--- iptables-1.3.8/extensions/libipt_ACCOUNT.c 1970-01-01 01:00:00.000000000 +0100
+++ iptables/extensions/libipt_ACCOUNT.c 2006-10-26 12:17:57.000000000 +0200
@@ -648,141 +628,6 @@
+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
+.IP
+iptables -A INPUT -p tcp --dport 6667 -j TARPIT
-diff -urN iptables-1.3.8/extensions/libipt_connlimit.c iptables/extensions/libipt_connlimit.c
---- iptables-1.3.8/extensions/libipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/libipt_connlimit.c 2006-12-04 12:15:19.000000000 +0100
-@@ -0,0 +1,131 @@
-+/* Shared library add-on to iptables to add connection limit support. */
-+#include <stdio.h>
-+#include <netdb.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <stddef.h>
-+#include <getopt.h>
-+#include <iptables.h>
-+#include <net/netfilter/nf_conntrack.h>
-+#include <linux/netfilter_ipv4/ipt_connlimit.h>
-+
-+/* Function which prints out usage message. */
-+static void
-+help(void)
-+{
-+ printf(
-+"connlimit v%s options:\n"
-+"[!] --connlimit-above n match if the number of existing tcp connections is (not) above n\n"
-+" --connlimit-mask n group hosts using mask\n"
-+"\n", IPTABLES_VERSION);
-+}
-+
-+static struct option opts[] = {
-+ { "connlimit-above", 1, 0, '1' },
-+ { "connlimit-mask", 1, 0, '2' },
-+ {0}
-+};
-+
-+/* Function which parses command options; returns true if it
-+ ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry,
-+ struct xt_entry_match **match)
-+{
-+ struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)(*match)->data;
-+ int i;
-+
-+ if (0 == (*flags & 2)) {
-+ /* set default mask unless we've already seen a mask option */
-+ info->mask = htonl(0xFFFFFFFF);
-+ }
-+
-+ switch (c) {
-+ case '1':
-+ check_inverse(optarg, &invert, &optind, 0);
-+ info->limit = atoi(argv[optind-1]);
-+ info->inverse = invert;
-+ *flags |= 1;
-+ break;
-+
-+ case '2':
-+ i = atoi(argv[optind-1]);
-+ if ((i < 0) || (i > 32))
-+ exit_error(PARAMETER_PROBLEM,
-+ "--connlimit-mask must be between 0 and 32");
-+
-+ if (i == 0)
-+ info->mask = 0;
-+ else
-+ info->mask = htonl(0xFFFFFFFF << (32 - i));
-+ *flags |= 2;
-+ break;
-+
-+ default:
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
-+/* Final check */
-+static void final_check(unsigned int flags)
-+{
-+ if (!flags & 1)
-+ exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'");
-+}
-+
-+static int
-+count_bits(u_int32_t mask)
-+{
-+ int i, bits;
-+
-+ for (bits = 0, i = 31; i >= 0; i--) {
-+ if (mask & htonl((u_int32_t)1 << i)) {
-+ bits++;
-+ continue;
-+ }
-+ break;
-+ }
-+ return bits;
-+}
-+
-+/* Prints out the matchinfo. */
-+static void
-+print(const void *ip,
-+ const struct xt_entry_match *match,
-+ int numeric)
-+{
-+ struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
-+
-+ printf("#conn/%d %s %d ", count_bits(info->mask),
-+ info->inverse ? "<" : ">", info->limit);
-+}
-+
-+/* Saves the matchinfo in parsable form to stdout. */
-+static void save(const void *ip, const struct xt_entry_match *match)
-+{
-+ struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
-+
-+ printf("%s--connlimit-above %d ",info->inverse ? "! " : "",info->limit);
-+ printf("--connlimit-mask %d ",count_bits(info->mask));
-+}
-+
-+static struct iptables_match connlimit = {
-+ .name = "connlimit",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct ipt_connlimit_info)),
-+ .userspacesize = offsetof(struct ipt_connlimit_info,data),
-+ .help = help,
-+ .parse = parse,
-+ .final_check = final_check,
-+ .print = print,
-+ .save = save,
-+ .extra_opts = opts
-+};
-+
-+void _init(void)
-+{
-+ register_match(&connlimit);
-+}
diff -urN iptables-1.3.8/extensions/libipt_geoip.c iptables/extensions/libipt_geoip.c
--- iptables-1.3.8/extensions/libipt_geoip.c 1970-01-01 01:00:00.000000000 +0100
+++ iptables/extensions/libipt_geoip.c 2006-12-05 04:36:39.000000000 +0100
@@ -1938,855 +1783,3 @@
+.TP
+$ iptables -A input -m ipv4options --ts -j DROP
+will drop packets with the timestamp flag.
-diff -urN iptables-1.3.8/extensions/libipt_time.c iptables/extensions/libipt_time.c
---- iptables-1.3.8/extensions/libipt_time.c 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/libipt_time.c 2006-12-04 12:15:20.000000000 +0100
-@@ -0,0 +1,549 @@
-+/* Shared library add-on to iptables to add TIME matching support. */
-+#include <stdio.h>
-+#include <netdb.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <stddef.h> /* for 'offsetof' */
-+#include <getopt.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ipt_time.h>
-+#include <time.h>
-+
-+static int globaldays;
-+
-+/* Function which prints out usage message. */
-+static void
-+help(void)
-+{
-+ printf(
-+"TIME v%s options:\n"
-+" [ --timestart value ] [ --timestop value] [ --days listofdays ] [ --datestart value ] [ --datestop value ]\n"
-+" timestart value : HH:MM (default 00:00)\n"
-+" timestop value : HH:MM (default 23:59)\n"
-+" Note: daylight savings time changes are not tracked\n"
-+" listofdays value: a list of days to apply\n"
-+" from Mon,Tue,Wed,Thu,Fri,Sat,Sun\n"
-+" Coma speparated, no space, case sensitive.\n"
-+" Defaults to all days.\n"
-+" datestart value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]\n"
-+" If any of month, day, hour, minute or second is\n"
-+" not specified, then defaults to their smallest\n"
-+" 1900 <= YYYY < 2037\n"
-+" 1 <= MM <= 12\n"
-+" 1 <= DD <= 31\n"
-+" 0 <= hh <= 23\n"
-+" 0 <= mm <= 59\n"
-+" 0 <= ss <= 59\n"
-+" datestop value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]\n"
-+" If the whole option is ommited, default to never stop\n"
-+" If any of month, day, hour, minute or second is\n"
-+" not specified, then default to their smallest\n",
-+IPTABLES_VERSION);
-+}
-+
-+static struct option opts[] = {
-+ { "timestart", 1, 0, '1' },
-+ { "timestop", 1, 0, '2' },
-+ { "days", 1, 0, '3'},
-+ { "datestart", 1, 0, '4' },
-+ { "datestop", 1, 0, '5' },
-+ {0}
-+};
-+
-+/* Initialize the match. */
-+static void
-+init(struct ipt_entry_match *m, unsigned int *nfcache)
-+{
-+ struct ipt_time_info *info = (struct ipt_time_info *)m->data;
-+ globaldays = 0;
-+ /* By default, we match on everyday */
-+ info->days_match = 127;
-+ /* By default, we match on every hour:min of the day */
-+ info->time_start = 0;
-+ info->time_stop = 1439; /* (23*60+59 = 1439 */
-+ /* By default, we don't have any date-begin or date-end boundaries */
-+ info->date_start = 0;
-+ info->date_stop = LONG_MAX;
-+}
-+
-+/**
-+ * param: part1, a pointer on a string 2 chars maximum long string, that will contain the hours.
-+ * param: part2, a pointer on a string 2 chars maximum long string, that will contain the minutes.
-+ * param: str_2_parse, the string to parse.
-+ * return: 1 if ok, 0 if error.
-+ */
-+static int
-+split_time(char **part1, char **part2, const char *str_2_parse)
-+{
-+ unsigned short int i,j=0;
-+ char *rpart1 = *part1;
-+ char *rpart2 = *part2;
-+ unsigned char found_column = 0;
-+
-+ /* Check the length of the string */
-+ if (strlen(str_2_parse) > 5)
-+ return 0;
-+ /* parse the first part until the ':' */
-+ for (i=0; i<2; i++)
-+ {
-+ if (str_2_parse[i] == ':')
-+ found_column = 1;
-+ else
-+ rpart1[i] = str_2_parse[i];
-+ }
-+ if (!found_column)
-+ i++;
-+ j=i;
-+ /* parse the second part */
-+ for (; i<strlen(str_2_parse); i++)
-+ {
-+ rpart2[i-j] = str_2_parse[i];
-+ }
-+ /* if we are here, format should be ok. */
-+ return 1;
-+}
-+
-+static int
-+parse_number(char *str, int num_min, int num_max, int *number)
-+{
-+ /* if the number starts with 0, replace it with a space else
-+ string_to_number() will interpret it as octal !! */
-+ if (strlen(str) == 0)
-+ return 0;
-+
-+ if ((str[0] == '0') && (str[1] != '\0'))
-+ str[0] = ' ';
-+
-+ return string_to_number(str, num_min, num_max, number);
-+}
-+
-+static void
-+parse_time_string(int *hour, int *minute, const char *time)
-+{
-+ char *hours;
-+ char *minutes;
-+ hours = (char *)malloc(3);
-+ minutes = (char *)malloc(3);
-+ memset(hours, 0, 3);
-+ memset(minutes, 0, 3);
-+
-+ if (split_time((char **)&hours, (char **)&minutes, time) == 1)
-+ {
-+ *hour = 0;
-+ *minute = 0;
-+ if ((parse_number((char *)hours, 0, 23, hour) != -1) &&
-+ (parse_number((char *)minutes, 0, 59, minute) != -1))
-+ {
-+ free(hours);
-+ free(minutes);
-+ return;
-+ }
-+ }
-+
-+ free(hours);
-+ free(minutes);
-+
-+ /* If we are here, there was a problem ..*/
-+ exit_error(PARAMETER_PROBLEM,
-+ "invalid time `%s' specified, should be HH:MM format", time);
-+}
-+
-+/* return 1->ok, return 0->error */
-+static int
-+parse_day(int *days, int from, int to, const char *string)
-+{
-+ char *dayread;
-+ char *days_str[7] = {"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"};
-+ unsigned short int days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
-+ unsigned int i;
-+
-+ dayread = (char *)malloc(4);
-+ bzero(dayread, 4);
-+ if ((to-from) != 3) {
-+ free(dayread);
-+ return 0;
-+ }
-+ for (i=from; i<to; i++)
-+ dayread[i-from] = string[i];
-+ for (i=0; i<7; i++)
-+ if (strcmp(dayread, days_str[i]) == 0)
-+ {
-+ *days |= days_of_week[i];
-+ free(dayread);
-+ return 1;
-+ }
-+ /* if we are here, we didn't read a valid day */
-+ free(dayread);
-+ return 0;
-+}
-+
-+static void
-+parse_days_string(int *days, const char *daystring)
-+{
-+ int len;
-+ int i=0;
-+ char *err = "invalid days `%s' specified, should be Sun,Mon,Tue... format";
-+
-+ len = strlen(daystring);
-+ if (len < 3)
-+ exit_error(PARAMETER_PROBLEM, err, daystring);
-+ while(i<len)
-+ {
-+ if (parse_day(days, i, i+3, daystring) == 0)
-+ exit_error(PARAMETER_PROBLEM, err, daystring);
-+ i += 4;
-+ }
-+}
-+
-+static int
-+parse_date_field(const char *str_to_parse, int str_to_parse_s, int start_pos,
-+ char *dest, int *next_pos)
-+{
-+ unsigned char found_value = 0;
-+ unsigned char found_column = 0;
-+ int i;
-+
-+ for (i=0; i<2; i++)
-+ {
-+ if ((i+start_pos) >= str_to_parse_s) /* don't exit boundaries of the string.. */
-+ break;
-+ if (str_to_parse[i+start_pos] == ':')
-+ found_column = 1;
-+ else
-+ {
-+ found_value = 1;
-+ dest[i] = str_to_parse[i+start_pos];
-+ }
-+ }
-+ if (found_value == 0)
-+ return 0;
-+ *next_pos = i + start_pos;
-+ if (found_column == 0)
-+ ++(*next_pos);
-+ return 1;
-+}
-+
-+static int
-+split_date(char *year, char *month, char *day,
-+ char *hour, char *minute, char *second,
-+ const char *str_to_parse)
-+{
-+ int i;
-+ unsigned char found_column = 0;
-+ int str_to_parse_s = strlen(str_to_parse);
-+
-+ /* Check the length of the string */
-+ if ((str_to_parse_s > 19) || /* YYYY:MM:DD:HH:MM:SS */
-+ (str_to_parse_s < 4)) /* YYYY*/
-+ return 0;
-+
-+ /* Clear the buffers */
-+ memset(year, 0, 4);
-+ memset(month, 0, 2);
-+ memset(day, 0, 2);
-+ memset(hour, 0, 2);
-+ memset(minute, 0, 2);
-+ memset(second, 0, 2);
-+
-+ /* parse the year YYYY */
-+ found_column = 0;
-+ for (i=0; i<5; i++)
-+ {
-+ if (i >= str_to_parse_s)
-+ break;
-+ if (str_to_parse[i] == ':')
-+ {
-+ found_column = 1;
-+ break;
-+ }
-+ else
-+ year[i] = str_to_parse[i];
-+ }
-+ if (found_column == 1)
-+ ++i;
-+
-+ /* parse the month if it exists */
-+ if (! parse_date_field(str_to_parse, str_to_parse_s, i, month, &i))
-+ return 1;
-+
-+ if (! parse_date_field(str_to_parse, str_to_parse_s, i, day, &i))
-+ return 1;
-+
-+ if (! parse_date_field(str_to_parse, str_to_parse_s, i, hour, &i))
-+ return 1;
-+
-+ if (! parse_date_field(str_to_parse, str_to_parse_s, i, minute, &i))
-+ return 1;
-+
-+ parse_date_field(str_to_parse, str_to_parse_s, i, second, &i);
-+
-+ /* if we are here, format should be ok. */
-+ return 1;
-+}
-+
-+static time_t
-+parse_date_string(const char *str_to_parse)
-+{
-+ char year[5];
-+ char month[3];
-+ char day[3];
-+ char hour[3];
-+ char minute[3];
-+ char second[3];
-+ struct tm t;
-+ time_t temp_time;
-+
-+ memset(year, 0, 5);
-+ memset(month, 0, 3);
-+ memset(day, 0, 3);
-+ memset(hour, 0, 3);
-+ memset(minute, 0, 3);
-+ memset(second, 0, 3);
-+
-+ if (split_date(year, month, day, hour, minute, second, str_to_parse) == 1)
-+ {
-+ memset((void *)&t, 0, sizeof(struct tm));
-+ t.tm_isdst = -1;
-+ t.tm_mday = 1;
-+ if (!((parse_number(year, 1900, 2037, &(t.tm_year)) == -1) ||
-+ (parse_number(month, 1, 12, &(t.tm_mon)) == -1) ||
-+ (parse_number(day, 1, 31, &(t.tm_mday)) == -1) ||
-+ (parse_number(hour, 0, 9999, &(t.tm_hour)) == -1) ||
-+ (parse_number(minute, 0, 59, &(t.tm_min)) == -1) ||
-+ (parse_number(second, 0, 59, &(t.tm_sec)) == -1)))
-+ {
-+ t.tm_year -= 1900;
-+ --(t.tm_mon);
-+ temp_time = mktime(&t);
-+ if (temp_time != -1)
-+ return temp_time;
-+ }
-+ }
-+ exit_error(PARAMETER_PROBLEM,
-+ "invalid date `%s' specified, should be YYYY[:MM[:DD[:hh[:mm[:ss]]]]] format", str_to_parse);
-+}
-+
-+#define IPT_TIME_START 0x01
-+#define IPT_TIME_STOP 0x02
-+#define IPT_TIME_DAYS 0x04
-+#define IPT_DATE_START 0x08
-+#define IPT_DATE_STOP 0x10
-+
-+/* Function which parses command options; returns true if it
-+ ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const struct ipt_entry *entry,
-+ unsigned int *nfcache,
-+ struct ipt_entry_match **match)
-+{
-+ struct ipt_time_info *timeinfo = (struct ipt_time_info *)(*match)->data;
-+ int hours, minutes;
-+ time_t temp_date;
-+
-+ switch (c)
-+ {
-+ /* timestart */
-+ case '1':
-+ if (invert)
-+ exit_error(PARAMETER_PROBLEM,
-+ "unexpected '!' with --timestart");
-+ if (*flags & IPT_TIME_START)
-+ exit_error(PARAMETER_PROBLEM,
-+ "Can't specify --timestart twice");
-+ parse_time_string(&hours, &minutes, optarg);
-+ timeinfo->time_start = (hours * 60) + minutes;
-+ *flags |= IPT_TIME_START;
-+ break;
-+ /* timestop */
-+ case '2':
-+ if (invert)
-+ exit_error(PARAMETER_PROBLEM,
-+ "unexpected '!' with --timestop");
-+ if (*flags & IPT_TIME_STOP)
-+ exit_error(PARAMETER_PROBLEM,
-+ "Can't specify --timestop twice");
-+ parse_time_string(&hours, &minutes, optarg);
-+ timeinfo->time_stop = (hours * 60) + minutes;
-+ *flags |= IPT_TIME_STOP;
-+ break;
-+
-+ /* days */
-+ case '3':
-+ if (invert)
-+ exit_error(PARAMETER_PROBLEM,
-+ "unexpected '!' with --days");
-+ if (*flags & IPT_TIME_DAYS)
-+ exit_error(PARAMETER_PROBLEM,
-+ "Can't specify --days twice");
-+ parse_days_string(&globaldays, optarg);
-+ timeinfo->days_match = globaldays;
-+ *flags |= IPT_TIME_DAYS;
-+ break;
-+
-+ /* datestart */
-+ case '4':
-+ if (invert)
-+ exit_error(PARAMETER_PROBLEM,
-+ "unexpected '!' with --datestart");
-+ if (*flags & IPT_DATE_START)
-+ exit_error(PARAMETER_PROBLEM,
-+ "Can't specify --datestart twice");
-+ temp_date = parse_date_string(optarg);
-+ timeinfo->date_start = temp_date;
-+ *flags |= IPT_DATE_START;
-+ break;
-+
-+ /* datestop*/
-+ case '5':
-+ if (invert)
-+ exit_error(PARAMETER_PROBLEM,
-+ "unexpected '!' with --datestop");
-+ if (*flags & IPT_DATE_STOP)
-+ exit_error(PARAMETER_PROBLEM,
-+ "Can't specify --datestop twice");
-+ temp_date = parse_date_string(optarg);
-+ timeinfo->date_stop = temp_date;
-+ *flags |= IPT_DATE_STOP;
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/iptables-20070806.patch?r1=1.5&r2=1.6&f=u
More information about the pld-cvs-commit
mailing list