packages: iptables/iptables-layer7.patch, iptables/iptables.spec - update l...
arekm
arekm at pld-linux.org
Fri Oct 15 19:33:28 CEST 2010
Author: arekm Date: Fri Oct 15 17:33:28 2010 GMT
Module: packages Tag: HEAD
---- Log message:
- update layer7 patch
---- Files affected:
packages/iptables:
iptables-layer7.patch (1.6 -> 1.7) , iptables.spec (1.285 -> 1.286)
---- Diffs:
================================================================
Index: packages/iptables/iptables-layer7.patch
diff -u packages/iptables/iptables-layer7.patch:1.6 packages/iptables/iptables-layer7.patch:1.7
--- packages/iptables/iptables-layer7.patch:1.6 Mon Aug 30 22:55:03 2010
+++ packages/iptables/iptables-layer7.patch Fri Oct 15 19:33:22 2010
@@ -1,11 +1,11 @@
-diff -Nurp iptables-1.3.8/extensions/libipt_layer7.c iptables-1.3.8-layer7/extensions/libipt_layer7.c
---- iptables-1.3.8/extensions/libipt_layer7.c 1969-12-31 18:00:00.000000000 -0600
-+++ iptables-1.3.8-layer7/extensions/libipt_layer7.c 2007-07-04 19:23:04.000000000 -0500
-@@ -0,0 +1,397 @@
+diff -urN iptables-1.4.9.1.org/extensions/libxt_layer7.c iptables-1.4.9.1/extensions/libxt_layer7.c
+--- iptables-1.4.9.1.org/extensions/libxt_layer7.c 1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.4.9.1/extensions/libxt_layer7.c 2009-07-14 00:53:05.000000000 +0200
+@@ -0,0 +1,368 @@
+/*
-+ Shared library add-on to iptables to add layer 7 matching support.
++ Shared library add-on to iptables for layer 7 matching support.
+
-+ By Matthew Strait <quadong at users.sf.net>, Oct 2003.
++ By Matthew Strait <quadong at users.sf.net>, Oct 2003-Aug 2008.
+
+ http://l7-filter.sf.net
+
@@ -14,8 +14,6 @@
+ as published by the Free Software Foundation; either version
+ 2 of the License, or (at your option) any later version.
+ http://www.gnu.org/licenses/gpl.txt
-+
-+ Based on libipt_string.c (C) 2000 Emmanuel Roger <winfield at freegates.be>
+*/
+
+#define _GNU_SOURCE
@@ -27,36 +25,31 @@
+#include <ctype.h>
+#include <dirent.h>
+
-+#include <iptables.h>
++#include <xtables.h>
+#include <linux/netfilter/xt_layer7.h>
+
+#define MAX_FN_LEN 256
+
+static char l7dir[MAX_FN_LEN] = "\0";
+
-+int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info);
-+char ** readl7dir(char * dirname);
-+
+/* Function which prints out usage message. */
+static void help(void)
+{
+ printf(
-+ "LAYER7 match v%s options:\n"
-+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
-+ " (--l7dir must be specified before --l7proto if used!)\n"
-+ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
-+ XTABLES_VERSION);
-+ fputc('\n', stdout);
++ "layer7 match options:\n"
++ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++ " (--l7dir must be specified before --l7proto if used)\n"
++ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
+}
+
-+static struct option opts[] = {
-+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
-+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
-+ { .name = 0 }
++static const struct option opts[] = {
++ { .name = "l7proto", .has_arg = 1, .val = 'p' },
++ { .name = "l7dir", .has_arg = 1, .val = 'd' },
++ { .name = NULL }
+};
+
+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
-+int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
+{
+ FILE * f;
+ char * line = NULL;
@@ -127,12 +120,6 @@
+ fclose(f);
+
+ return 1;
-+
-+/*
-+ fprintf(stderr, "protocol: %s\npattern: %s\n\n",
-+ info->protocol,
-+ info->pattern);
-+*/
+}
+
+static int hex2dec(char c)
@@ -156,7 +143,7 @@
+static char * pre_process(char * s)
+{
+ char * result = malloc(strlen(s) + 1);
-+ int sindex = 0, rindex = 0;
++ int sindex = 0, rrindex = 0;
+ while( sindex < strlen(s) )
+ {
+ if( sindex + 3 < strlen(s) &&
@@ -164,10 +151,10 @@
+ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
+ {
+ /* carefully remember to call tolower here... */
-+ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
++ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
+ hex2dec(s[sindex + 3] ) );
+
-+ switch ( result[rindex] )
++ switch ( result[rrindex] )
+ {
+ case 0x24:
+ case 0x28:
@@ -184,7 +171,7 @@
+ fprintf(stderr,
+ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
+ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
-+ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]);
++ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
+ break;
+ case 0x00:
+ fprintf(stderr,
@@ -198,18 +185,18 @@
+ sindex += 3; /* 4 total */
+ }
+ else
-+ result[rindex] = tolower(s[sindex]);
++ result[rrindex] = tolower(s[sindex]);
+
+ sindex++;
-+ rindex++;
++ rrindex++;
+ }
-+ result[rindex] = '\0';
++ result[rrindex] = '\0';
+
+ return result;
+}
+
+#define MAX_SUBDIRS 128
-+char ** readl7dir(char * dirname)
++static char ** readl7dir(char * dirname)
+{
+ DIR * scratchdir;
+ struct dirent ** namelist;
@@ -263,18 +250,15 @@
+ return subdirs;
+}
+
-+static void
-+parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
+{
+ char filename[MAX_FN_LEN];
+ char * dir = NULL;
+ char ** subdirs;
+ int n = 0, done = 0;
+
-+ if(strlen(l7dir) > 0)
-+ dir = l7dir;
-+ else
-+ dir = "/etc/l7-protocols";
++ if(strlen(l7dir) > 0) dir = l7dir;
++ else dir = "/etc/l7-protocols";
+
+ subdirs = readl7dir(dir);
+
@@ -282,24 +266,16 @@
+ {
+ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
+
-+ //fprintf(stderr, "Trying to find pattern in %s ... ", filename);
-+
+ if(c > MAX_FN_LEN)
-+ {
+ xtables_error(OTHER_PROBLEM,
+ "Filename beginning with %s is too long!\n", filename);
-+ }
+
+ /* read in the pattern from the file */
-+ if(parse_protocol_file(filename, s, info))
-+ {
-+ //fprintf(stderr, "found\n");
++ if(parse_protocol_file(filename, s, info)){
+ done = 1;
+ break;
+ }
+
-+ //fprintf(stderr, "not found\n");
-+
+ n++;
+ }
+
@@ -314,25 +290,20 @@
+
+/* Function which parses command options; returns true if it ate an option */
+static int parse(int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry,
-+ struct xt_entry_match **match)
++ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_layer7_info *layer7info =
+ (struct xt_layer7_info *)(*match)->data;
+
+ switch (c) {
-+ case '1':
-+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
++ case 'p':
+ parse_layer7_protocol(argv[optind-1], layer7info);
+ if (invert)
-+ layer7info->invert = 1;
++ layer7info->invert = true;
+ *flags = 1;
+ break;
+
-+ case '2':
-+ /* not going to use this, but maybe we need to strip a ! anyway (?) */
-+ xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-+
++ case 'd':
+ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
+ xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
+
@@ -369,7 +340,6 @@
+ int numeric)
+{
+ printf("LAYER7 ");
-+
+ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
+ ((struct xt_layer7_info *)match->data)->invert, numeric);
+}
@@ -379,14 +349,15 @@
+ const struct xt_layer7_info *info =
+ (const struct xt_layer7_info*) match->data;
+
-+ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol);
++ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
+}
+
+static struct xtables_match layer7 = {
++ .family = AF_INET,
+ .name = "layer7",
+ .version = XTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct xt_layer7_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct xt_layer7_info)),
++ .size = XT_ALIGN(sizeof(struct xt_layer7_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
+ .help = &help,
+ .parse = &parse,
+ .final_check = &final_check,
@@ -399,9 +370,9 @@
+{
+ xtables_register_match(&layer7);
+}
-diff -Nurp iptables-1.3.8/extensions/libipt_layer7.man iptables-1.3.8-layer7/extensions/libipt_layer7.man
---- iptables-1.3.8/extensions/libipt_layer7.man 1969-12-31 18:00:00.000000000 -0600
-+++ iptables-1.3.8-layer7/extensions/libipt_layer7.man 2007-07-04 19:06:03.000000000 -0500
+diff -urN iptables-1.4.9.1.org/extensions/libxt_layer7.man iptables-1.4.9.1/extensions/libxt_layer7.man
+--- iptables-1.4.9.1.org/extensions/libxt_layer7.man 1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.4.9.1/extensions/libxt_layer7.man 2009-07-14 00:51:32.000000000 +0200
@@ -0,0 +1,14 @@
+This module matches packets based on the application layer data of
+their connections. It uses regular expression matching to compare
================================================================
Index: packages/iptables/iptables.spec
diff -u packages/iptables/iptables.spec:1.285 packages/iptables/iptables.spec:1.286
--- packages/iptables/iptables.spec:1.285 Tue Oct 12 22:48:56 2010
+++ packages/iptables/iptables.spec Fri Oct 15 19:33:22 2010
@@ -290,7 +290,6 @@
%attr(755,root,root) %{_libdir}/xtables/libipt_icmp.so
#%attr(755,root,root) %{_libdir}/xtables/libipt_ipv4options.so
%attr(755,root,root) %{_libdir}/xtables/libipt_IPV4OPTSSTRIP.so
-%attr(755,root,root) %{_libdir}/xtables/libipt_layer7.so
%attr(755,root,root) %{_libdir}/xtables/libipt_LOG.so
%attr(755,root,root) %{_libdir}/xtables/libipt_MASQUERADE.so
%attr(755,root,root) %{_libdir}/xtables/libipt_MIRROR.so
@@ -302,7 +301,7 @@
%attr(755,root,root) %{_libdir}/xtables/libipt_rpc.so
%attr(755,root,root) %{_libdir}/xtables/libipt_SAME.so
%attr(755,root,root) %{_libdir}/xtables/libipt_SNAT.so
-%attr(755,root,root) %{_libdir}/xtables/libipt_stealth.so
+#%attr(755,root,root) %{_libdir}/xtables/libipt_stealth.so
%attr(755,root,root) %{_libdir}/xtables/libipt_ttl.so
%attr(755,root,root) %{_libdir}/xtables/libipt_TTL.so
%attr(755,root,root) %{_libdir}/xtables/libipt_ULOG.so
@@ -326,6 +325,7 @@
%attr(755,root,root) %{_libdir}/xtables/libxt_IMQ.so
%attr(755,root,root) %{_libdir}/xtables/libxt_iprange.so
%attr(755,root,root) %{_libdir}/xtables/libxt_LED.so
+%attr(755,root,root) %{_libdir}/xtables/libxt_layer7.so
%attr(755,root,root) %{_libdir}/xtables/libxt_length.so
%attr(755,root,root) %{_libdir}/xtables/libxt_limit.so
%attr(755,root,root) %{_libdir}/xtables/libxt_mac.so
@@ -410,6 +410,9 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.286 2010/10/15 17:33:22 arekm
+- update layer7 patch
+
Revision 1.285 2010/10/12 20:48:56 arekm
- comment out stealth patch; broken
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/iptables/iptables-layer7.patch?r1=1.6&r2=1.7&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/iptables/iptables.spec?r1=1.285&r2=1.286&f=u
More information about the pld-cvs-commit
mailing list