diff options
author | mbm <mbm@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2004-09-19 07:44:57 +0000 |
---|---|---|
committer | mbm <mbm@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2004-09-19 07:44:57 +0000 |
commit | 61e08700383d20ffb5d28f1e4700c9da2aa17f06 (patch) | |
tree | bc267a68bac7c67c7f638b06d4b1bc2f46ff62a6 /obsolete-buildroot/sources/openwrt/kernel | |
parent | 2721db4a989f3c55fd0e3ec5d784afea3834f537 (diff) |
netfilter patches must be applied before other kernel patches to avoid breaking patch-o-matic
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@163 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'obsolete-buildroot/sources/openwrt/kernel')
-rw-r--r-- | obsolete-buildroot/sources/openwrt/kernel/netfilter/patches/100-revert_netfilter.patch | 5834 |
1 files changed, 5834 insertions, 0 deletions
diff --git a/obsolete-buildroot/sources/openwrt/kernel/netfilter/patches/100-revert_netfilter.patch b/obsolete-buildroot/sources/openwrt/kernel/netfilter/patches/100-revert_netfilter.patch new file mode 100644 index 0000000000..611261f2d5 --- /dev/null +++ b/obsolete-buildroot/sources/openwrt/kernel/netfilter/patches/100-revert_netfilter.patch @@ -0,0 +1,5834 @@ +diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack.h +--- linux/include/linux/netfilter_ipv4/ip_conntrack.h 2003-08-12 07:43:11.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack.h 2004-05-09 04:13:03.000000000 -0400 +@@ -45,39 +45,27 @@ + + #include <linux/netfilter_ipv4/ip_conntrack_tcp.h> + #include <linux/netfilter_ipv4/ip_conntrack_icmp.h> +-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h> + + /* per conntrack: protocol private data */ + union ip_conntrack_proto { + /* insert conntrack proto private data here */ +- struct ip_ct_gre gre; + struct ip_ct_tcp tcp; + struct ip_ct_icmp icmp; + }; + + union ip_conntrack_expect_proto { + /* insert expect proto private data here */ +- struct ip_ct_gre_expect gre; + }; + + /* Add protocol helper include file here */ +-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h> +-#include <linux/netfilter_ipv4/ip_conntrack_mms.h> +-#include <linux/netfilter_ipv4/ip_conntrack_h323.h> +- + #include <linux/netfilter_ipv4/ip_conntrack_ftp.h> + #include <linux/netfilter_ipv4/ip_conntrack_irc.h> +-#include <linux/netfilter_ipv4/ip_autofw.h> + + /* per expectation: application helper private data */ + union ip_conntrack_expect_help { + /* insert conntrack helper private data (expect) here */ +- struct ip_ct_pptp_expect exp_pptp_info; +- struct ip_ct_mms_expect exp_mms_info; +- struct ip_ct_h225_expect exp_h225_info; + struct ip_ct_ftp_expect exp_ftp_info; + struct ip_ct_irc_expect exp_irc_info; +- struct ip_autofw_expect exp_autofw_info; + + #ifdef CONFIG_IP_NF_NAT_NEEDED + union { +@@ -89,21 +77,16 @@ + /* per conntrack: application helper private data */ + union ip_conntrack_help { + /* insert conntrack helper private data (master) here */ +- struct ip_ct_pptp_master ct_pptp_info; +- struct ip_ct_mms_master ct_mms_info; +- struct ip_ct_h225_master ct_h225_info; + struct ip_ct_ftp_master ct_ftp_info; + struct ip_ct_irc_master ct_irc_info; + }; + + #ifdef CONFIG_IP_NF_NAT_NEEDED + #include <linux/netfilter_ipv4/ip_nat.h> +-#include <linux/netfilter_ipv4/ip_nat_pptp.h> + + /* per conntrack: nat application helper private data */ + union ip_conntrack_nat_help { + /* insert nat helper private data here */ +- struct ip_nat_pptp nat_pptp_info; + }; + #endif + +@@ -275,9 +258,5 @@ + } + + extern unsigned int ip_conntrack_htable_size; +- +-/* connection tracking time out variables. */ +-extern int sysctl_ip_conntrack_tcp_timeouts[10]; +-extern int sysctl_ip_conntrack_udp_timeouts[2]; + #endif /* __KERNEL__ */ + #endif /* _IP_CONNTRACK_H */ +diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_h323.h +--- linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_h323.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,30 +0,0 @@ +-#ifndef _IP_CONNTRACK_H323_H +-#define _IP_CONNTRACK_H323_H +-/* H.323 connection tracking. */ +- +-#ifdef __KERNEL__ +-/* Protects H.323 related data */ +-DECLARE_LOCK_EXTERN(ip_h323_lock); +-#endif +- +-/* Default H.225 port */ +-#define H225_PORT 1720 +- +-/* This structure is per expected connection */ +-struct ip_ct_h225_expect { +- u_int16_t port; /* Port of the H.225 helper/RTCP/RTP channel */ +- enum ip_conntrack_dir dir; /* Direction of the original connection */ +- unsigned int offset; /* offset of the address in the payload */ +-}; +- +-/* This structure exists only once per master */ +-struct ip_ct_h225_master { +- int is_h225; /* H.225 or H.245 connection */ +-#ifdef CONFIG_IP_NF_NAT_NEEDED +- enum ip_conntrack_dir dir; /* Direction of the original connection */ +- u_int32_t seq[IP_CT_DIR_MAX]; /* Exceptional packet mangling for signal addressess... */ +- unsigned int offset[IP_CT_DIR_MAX]; /* ...and the offset of the addresses in the payload */ +-#endif +-}; +- +-#endif /* _IP_CONNTRACK_H323_H */ +diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_mms.h +--- linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_mms.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,31 +0,0 @@ +-#ifndef _IP_CONNTRACK_MMS_H +-#define _IP_CONNTRACK_MMS_H +-/* MMS tracking. */ +- +-#ifdef __KERNEL__ +-#include <linux/netfilter_ipv4/lockhelp.h> +- +-DECLARE_LOCK_EXTERN(ip_mms_lock); +- +-#define MMS_PORT 1755 +-#define MMS_SRV_MSG_ID 196610 +- +-#define MMS_SRV_MSG_OFFSET 36 +-#define MMS_SRV_UNICODE_STRING_OFFSET 60 +-#define MMS_SRV_CHUNKLENLV_OFFSET 16 +-#define MMS_SRV_CHUNKLENLM_OFFSET 32 +-#define MMS_SRV_MESSAGELENGTH_OFFSET 8 +-#endif +- +-/* This structure is per expected connection */ +-struct ip_ct_mms_expect { +- u_int32_t len; +- u_int32_t padding; +- u_int16_t port; +-}; +- +-/* This structure exists only once per master */ +-struct ip_ct_mms_master { +-}; +- +-#endif /* _IP_CONNTRACK_MMS_H */ +diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_pptp.h +--- linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,313 +0,0 @@ +-/* PPTP constants and structs */ +-#ifndef _CONNTRACK_PPTP_H +-#define _CONNTRACK_PPTP_H +- +-/* state of the control session */ +-enum pptp_ctrlsess_state { +- PPTP_SESSION_NONE, /* no session present */ +- PPTP_SESSION_ERROR, /* some session error */ +- PPTP_SESSION_STOPREQ, /* stop_sess request seen */ +- PPTP_SESSION_REQUESTED, /* start_sess request seen */ +- PPTP_SESSION_CONFIRMED, /* session established */ +-}; +- +-/* state of the call inside the control session */ +-enum pptp_ctrlcall_state { +- PPTP_CALL_NONE, +- PPTP_CALL_ERROR, +- PPTP_CALL_OUT_REQ, +- PPTP_CALL_OUT_CONF, +- PPTP_CALL_IN_REQ, +- PPTP_CALL_IN_REP, +- PPTP_CALL_IN_CONF, +- PPTP_CALL_CLEAR_REQ, +-}; +- +- +-/* conntrack private data */ +-struct ip_ct_pptp_master { +- enum pptp_ctrlsess_state sstate; /* session state */ +- +- /* everything below is going to be per-expectation in newnat, +- * since there could be more than one call within one session */ +- enum pptp_ctrlcall_state cstate; /* call state */ +- u_int16_t pac_call_id; /* call id of PAC, host byte order */ +- u_int16_t pns_call_id; /* call id of PNS, host byte order */ +-}; +- +-/* conntrack_expect private member */ +-struct ip_ct_pptp_expect { +- enum pptp_ctrlcall_state cstate; /* call state */ +- u_int16_t pac_call_id; /* call id of PAC */ +- u_int16_t pns_call_id; /* call id of PNS */ +-}; +- +- +-#ifdef __KERNEL__ +- +-#include <linux/netfilter_ipv4/lockhelp.h> +-DECLARE_LOCK_EXTERN(ip_pptp_lock); +- +-#define IP_CONNTR_PPTP PPTP_CONTROL_PORT +- +-union pptp_ctrl_union { +- void *rawreq; +- struct PptpStartSessionRequest *sreq; +- struct PptpStartSessionReply *srep; +- struct PptpStopSessionReqest *streq; +- struct PptpStopSessionReply *strep; +- struct PptpOutCallRequest *ocreq; +- struct PptpOutCallReply *ocack; +- struct PptpInCallRequest *icreq; +- struct PptpInCallReply *icack; +- struct PptpInCallConnected *iccon; +- struct PptpClearCallRequest *clrreq; +- struct PptpCallDisconnectNotify *disc; +- struct PptpWanErrorNotify *wanerr; +- struct PptpSetLinkInfo *setlink; +-}; +- +- +- +-#define PPTP_CONTROL_PORT 1723 +- +-#define PPTP_PACKET_CONTROL 1 +-#define PPTP_PACKET_MGMT 2 +- +-#define PPTP_MAGIC_COOKIE 0x1a2b3c4d +- +-struct pptp_pkt_hdr { +- __u16 packetLength; +- __u16 packetType; +- __u32 magicCookie; +-}; +- +-/* PptpControlMessageType values */ +-#define PPTP_START_SESSION_REQUEST 1 +-#define PPTP_START_SESSION_REPLY 2 +-#define PPTP_STOP_SESSION_REQUEST 3 +-#define PPTP_STOP_SESSION_REPLY 4 +-#define PPTP_ECHO_REQUEST 5 +-#define PPTP_ECHO_REPLY 6 +-#define PPTP_OUT_CALL_REQUEST 7 +-#define PPTP_OUT_CALL_REPLY 8 +-#define PPTP_IN_CALL_REQUEST 9 +-#define PPTP_IN_CALL_REPLY 10 +-#define PPTP_IN_CALL_CONNECT 11 +-#define PPTP_CALL_CLEAR_REQUEST 12 +-#define PPTP_CALL_DISCONNECT_NOTIFY 13 +-#define PPTP_WAN_ERROR_NOTIFY 14 +-#define PPTP_SET_LINK_INFO 15 +- +-#define PPTP_MSG_MAX 15 +- +-/* PptpGeneralError values */ +-#define PPTP_ERROR_CODE_NONE 0 +-#define PPTP_NOT_CONNECTED 1 +-#define PPTP_BAD_FORMAT 2 +-#define PPTP_BAD_VALUE 3 +-#define PPTP_NO_RESOURCE 4 +-#define PPTP_BAD_CALLID 5 +-#define PPTP_REMOVE_DEVICE_ERROR 6 +- +-struct PptpControlHeader { +- __u16 messageType; +- __u16 reserved; +-}; +- +-/* FramingCapability Bitmap Values */ +-#define PPTP_FRAME_CAP_ASYNC 0x1 +-#define PPTP_FRAME_CAP_SYNC 0x2 +- +-/* BearerCapability Bitmap Values */ +-#define PPTP_BEARER_CAP_ANALOG 0x1 +-#define PPTP_BEARER_CAP_DIGITAL 0x2 +- +-struct PptpStartSessionRequest { +- __u16 protocolVersion; +- __u8 reserved1; +- __u8 reserved2; +- __u32 framingCapability; +- __u32 bearerCapability; +- __u16 maxChannels; +- __u16 firmwareRevision; +- __u8 hostName[64]; +- __u8 vendorString[64]; +-}; +- +-/* PptpStartSessionResultCode Values */ +-#define PPTP_START_OK 1 +-#define PPTP_START_GENERAL_ERROR 2 +-#define PPTP_START_ALREADY_CONNECTED 3 +-#define PPTP_START_NOT_AUTHORIZED 4 +-#define PPTP_START_UNKNOWN_PROTOCOL 5 +- +-struct PptpStartSessionReply { +- __u16 protocolVersion; +- __u8 resultCode; +- __u8 generalErrorCode; +- __u32 framingCapability; +- __u32 bearerCapability; +- __u16 maxChannels; +- __u16 firmwareRevision; +- __u8 hostName[64]; +- __u8 vendorString[64]; +-}; +- +-/* PptpStopReasons */ +-#define PPTP_STOP_NONE 1 +-#define PPTP_STOP_PROTOCOL 2 +-#define PPTP_STOP_LOCAL_SHUTDOWN 3 +- +-struct PptpStopSessionRequest { +- __u8 reason; +-}; +- +-/* PptpStopSessionResultCode */ +-#define PPTP_STOP_OK 1 +-#define PPTP_STOP_GENERAL_ERROR 2 +- +-struct PptpStopSessionReply { +- __u8 resultCode; +- __u8 generalErrorCode; +-}; +- +-struct PptpEchoRequest { +- __u32 identNumber; +-}; +- +-/* PptpEchoReplyResultCode */ +-#define PPTP_ECHO_OK 1 +-#define PPTP_ECHO_GENERAL_ERROR 2 +- +-struct PptpEchoReply { +- __u32 identNumber; +- __u8 resultCode; +- __u8 generalErrorCode; +- __u16 reserved; +-}; +- +-/* PptpFramingType */ +-#define PPTP_ASYNC_FRAMING 1 +-#define PPTP_SYNC_FRAMING 2 +-#define PPTP_DONT_CARE_FRAMING 3 +- +-/* PptpCallBearerType */ +-#define PPTP_ANALOG_TYPE 1 +-#define PPTP_DIGITAL_TYPE 2 +-#define PPTP_DONT_CARE_BEARER_TYPE 3 +- +-struct PptpOutCallRequest { +- __u16 callID; +- __u16 callSerialNumber; +- __u32 minBPS; +- __u32 maxBPS; +- __u32 bearerType; +- __u32 framingType; +- __u16 packetWindow; +- __u16 packetProcDelay; +- __u16 reserved1; +- __u16 phoneNumberLength; +- __u16 reserved2; +- __u8 phoneNumber[64]; +- __u8 subAddress[64]; +-}; +- +-/* PptpCallResultCode */ +-#define PPTP_OUTCALL_CONNECT 1 +-#define PPTP_OUTCALL_GENERAL_ERROR 2 +-#define PPTP_OUTCALL_NO_CARRIER 3 +-#define PPTP_OUTCALL_BUSY 4 +-#define PPTP_OUTCALL_NO_DIAL_TONE 5 +-#define PPTP_OUTCALL_TIMEOUT 6 +-#define PPTP_OUTCALL_DONT_ACCEPT 7 +- +-struct PptpOutCallReply { +- __u16 callID; +- __u16 peersCallID; +- __u8 resultCode; +- __u8 generalErrorCode; +- __u16 causeCode; +- __u32 connectSpeed; +- __u16 packetWindow; +- __u16 packetProcDelay; +- __u32 physChannelID; +-}; +- +-struct PptpInCallRequest { +- __u16 callID; +- __u16 callSerialNumber; +- __u32 callBearerType; +- __u32 physChannelID; +- __u16 dialedNumberLength; +- __u16 dialingNumberLength; +- __u8 dialedNumber[64]; +- __u8 dialingNumber[64]; +- __u8 subAddress[64]; +-}; +- +-/* PptpInCallResultCode */ +-#define PPTP_INCALL_ACCEPT 1 +-#define PPTP_INCALL_GENERAL_ERROR 2 +-#define PPTP_INCALL_DONT_ACCEPT 3 +- +-struct PptpInCallReply { +- __u16 callID; +- __u16 peersCallID; +- __u8 resultCode; +- __u8 generalErrorCode; +- __u16 packetWindow; +- __u16 packetProcDelay; +- __u16 reserved; +-}; +- +-struct PptpInCallConnected { +- __u16 peersCallID; +- __u16 reserved; +- __u32 connectSpeed; +- __u16 packetWindow; +- __u16 packetProcDelay; +- __u32 callFramingType; +-}; +- +-struct PptpClearCallRequest { +- __u16 callID; +- __u16 reserved; +-}; +- +-struct PptpCallDisconnectNotify { +- __u16 callID; +- __u8 resultCode; +- __u8 generalErrorCode; +- __u16 causeCode; +- __u16 reserved; +- __u8 callStatistics[128]; +-}; +- +-struct PptpWanErrorNotify { +- __u16 peersCallID; +- __u16 reserved; +- __u32 crcErrors; +- __u32 framingErrors; +- __u32 hardwareOverRuns; +- __u32 bufferOverRuns; +- __u32 timeoutErrors; +- __u32 alignmentErrors; +-}; +- +-struct PptpSetLinkInfo { +- __u16 peersCallID; +- __u16 reserved; +- __u32 sendAccm; +- __u32 recvAccm; +-}; +- +- +-struct pptp_priv_data { +- __u16 call_id; +- __u16 mcall_id; +- __u16 pcall_id; +-}; +- +-#endif /* __KERNEL__ */ +-#endif /* _CONNTRACK_PPTP_H */ +diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h +--- linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,121 +0,0 @@ +-#ifndef _CONNTRACK_PROTO_GRE_H +-#define _CONNTRACK_PROTO_GRE_H +-#include <asm/byteorder.h> +- +-/* GRE PROTOCOL HEADER */ +- +-/* GRE Version field */ +-#define GRE_VERSION_1701 0x0 +-#define GRE_VERSION_PPTP 0x1 +- +-/* GRE Protocol field */ +-#define GRE_PROTOCOL_PPTP 0x880B +- +-/* GRE Flags */ +-#define GRE_FLAG_C 0x80 +-#define GRE_FLAG_R 0x40 +-#define GRE_FLAG_K 0x20 +-#define GRE_FLAG_S 0x10 +-#define GRE_FLAG_A 0x80 +- +-#define GRE_IS_C(f) ((f)&GRE_FLAG_C) +-#define GRE_IS_R(f) ((f)&GRE_FLAG_R) +-#define GRE_IS_K(f) ((f)&GRE_FLAG_K) +-#define GRE_IS_S(f) ((f)&GRE_FLAG_S) +-#define GRE_IS_A(f) ((f)&GRE_FLAG_A) +- +-/* GRE is a mess: Four different standards */ +-struct gre_hdr { +-#if defined(__LITTLE_ENDIAN_BITFIELD) +- __u16 rec:3, +- srr:1, +- seq:1, +- key:1, +- routing:1, +- csum:1, +- version:3, +- reserved:4, +- ack:1; +-#elif defined(__BIG_ENDIAN_BITFIELD) +- __u16 csum:1, +- routing:1, +- key:1, +- seq:1, +- srr:1, +- rec:3, +- ack:1, +- reserved:4, +- version:3; +-#else +-#error "Adjust your <asm/byteorder.h> defines" +-#endif +- __u16 protocol; +-}; +- +-/* modified GRE header for PPTP */ +-struct gre_hdr_pptp { +- __u8 flags; /* bitfield */ +- __u8 version; /* should be GRE_VERSION_PPTP */ +- __u16 protocol; /* should be GRE_PROTOCOL_PPTP */ +- __u16 payload_len; /* size of ppp payload, not inc. gre header */ +- __u16 call_id; /* peer's call_id for this session */ +- __u32 seq; /* sequence number. Present if S==1 */ +- __u32 ack; /* seq number of highest packet recieved by */ +- /* sender in this session */ +-}; +- +- +-/* this is part of ip_conntrack */ +-struct ip_ct_gre { +- unsigned int stream_timeout; +- unsigned int timeout; +-}; +- +-/* this is part of ip_conntrack_expect */ +-struct ip_ct_gre_expect { +- struct ip_ct_gre_keymap *keymap_orig, *keymap_reply; +-}; +- +-#ifdef __KERNEL__ +- +-/* structure for original <-> reply keymap */ +-struct ip_ct_gre_keymap { +- struct list_head list; +- +- struct ip_conntrack_tuple tuple; +- struct ip_conntrack_expect *master; +-}; +- +- +-/* add new tuple->key_reply pair to keymap */ +-int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp, +- struct ip_conntrack_tuple *t, +- int reply); +- +-/* change an existing keymap entry */ +-void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km, +- struct ip_conntrack_tuple *t); +- +- +- +-/* get pointer to gre key, if present */ +-static inline u_int32_t *gre_key(struct gre_hdr *greh) +-{ +- if (!greh->key) +- return NULL; +- if (greh->csum || greh->routing) +- return (u_int32_t *) (greh+sizeof(*greh)+4); +- return (u_int32_t *) (greh+sizeof(*greh)); +-} +- +-/* get pointer ot gre csum, if present */ +-static inline u_int16_t *gre_csum(struct gre_hdr *greh) +-{ +- if (!greh->csum) +- return NULL; +- return (u_int16_t *) (greh+sizeof(*greh)); +-} +- +-#endif /* __KERNEL__ */ +- +-#endif /* _CONNTRACK_PROTO_GRE_H */ +diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tftp.h +--- linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,13 +0,0 @@ +-#ifndef _IP_CT_TFTP +-#define _IP_CT_TFTP +- +-#define TFTP_PORT 69 +- +-struct tftphdr { +- u_int16_t opcode; +-}; +- +-#define TFTP_OPCODE_READ 1 +-#define TFTP_OPCODE_WRITE 2 +- +-#endif /* _IP_CT_TFTP */ +diff -Nurb linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tuple.h +--- linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-05-09 04:13:03.000000000 -0400 +@@ -14,7 +14,7 @@ + union ip_conntrack_manip_proto + { + /* Add other protocols here. */ +- u_int32_t all; ++ u_int16_t all; + + struct { + u_int16_t port; +@@ -25,9 +25,6 @@ + struct { + u_int16_t id; + } icmp; +- struct { +- u_int32_t key; +- } gre; + }; + + /* The manipulable part of the tuple. */ +@@ -47,7 +44,7 @@ + u_int32_t ip; + union { + /* Add other protocols here. */ +- u_int64_t all; ++ u_int16_t all; + + struct { + u_int16_t port; +@@ -58,11 +55,6 @@ + struct { + u_int8_t type, code; + } icmp; +- struct { +- u_int16_t protocol; +- u_int8_t version; +- u_int32_t key; +- } gre; + } u; + + /* The protocol. */ +@@ -80,16 +72,10 @@ + #ifdef __KERNEL__ + + #define DUMP_TUPLE(tp) \ +-DEBUGP("tuple %p: %u %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", \ ++DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \ + (tp), (tp)->dst.protonum, \ +- NIPQUAD((tp)->src.ip), ntohl((tp)->src.u.all), \ +- NIPQUAD((tp)->dst.ip), ntohl((tp)->dst.u.all)) +- +-#define DUMP_TUPLE_RAW(x) \ +- DEBUGP("tuple %p: %u %u.%u.%u.%u:0x%08x -> %u.%u.%u.%u:0x%08x\n",\ +- (x), (x)->dst.protonum, \ +- NIPQUAD((x)->src.ip), ntohl((x)->src.u.all), \ +- NIPQUAD((x)->dst.ip), ntohl((x)->dst.u.all)) ++ NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \ ++ NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all)) + + #define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) + +diff -Nurb linux/include/linux/netfilter_ipv4/ip_nat_pptp.h linux.stock/include/linux/netfilter_ipv4/ip_nat_pptp.h +--- linux/include/linux/netfilter_ipv4/ip_nat_pptp.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_nat_pptp.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,11 +0,0 @@ +-/* PPTP constants and structs */ +-#ifndef _NAT_PPTP_H +-#define _NAT_PPTP_H +- +-/* conntrack private data */ +-struct ip_nat_pptp { +- u_int16_t pns_call_id; /* NAT'ed PNS call id */ +- u_int16_t pac_call_id; /* NAT'ed PAC call id */ +-}; +- +-#endif /* _NAT_PPTP_H */ +diff -Nurb linux/include/linux/netfilter_ipv4/ip_pool.h linux.stock/include/linux/netfilter_ipv4/ip_pool.h +--- linux/include/linux/netfilter_ipv4/ip_pool.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ip_pool.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,64 +0,0 @@ +-#ifndef _IP_POOL_H +-#define _IP_POOL_H +- +-/***************************************************************************/ +-/* This program is free software; you can redistribute it and/or modify */ +-/* it under the terms of the GNU General Public License as published by */ +-/* the Free Software Foundation; either version 2 of the License, or */ +-/* (at your option) any later version. */ +-/* */ +-/* This program is distributed in the hope that it will be useful, */ +-/* but WITHOUT ANY WARRANTY; without even the implied warranty of */ +-/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */ +-/* GNU General Public License for more details. */ +-/* */ +-/* You should have received a copy of the GNU General Public License */ +-/* along with this program; if not, write to the Free Software */ +-/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/ +-/***************************************************************************/ +- +-/* A sockopt of such quality has hardly ever been seen before on the open +- * market! This little beauty, hardly ever used: above 64, so it's +- * traditionally used for firewalling, not touched (even once!) by the +- * 2.0, 2.2 and 2.4 kernels! +- * +- * Comes with its own certificate of authenticity, valid anywhere in the +- * Free world! +- * +- * Rusty, 19.4.2000 +- */ +-#define SO_IP_POOL 81 +- +-typedef int ip_pool_t; /* pool index */ +-#define IP_POOL_NONE ((ip_pool_t)-1) +- +-struct ip_pool_request { +- int op; +- ip_pool_t index; +- u_int32_t addr; +- u_int32_t addr2; +-}; +- +-/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */ +- +-#define IP_POOL_BAD001 0x00000010 +- +-#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */ +-#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */ +-#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */ +-#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */ +-#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */ +-#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */ +-#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */ +-#define IP_POOL_USAGE 0x00000018 /* result in addr */ +-#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */ +- +-#ifdef __KERNEL__ +- +-/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */ +-extern int ip_pool_match(ip_pool_t pool, u_int32_t addr); +-extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel); +- +-#endif +- +-#endif /*_IP_POOL_H*/ +diff -Nurb linux/include/linux/netfilter_ipv4/ipt_pool.h linux.stock/include/linux/netfilter_ipv4/ipt_pool.h +--- linux/include/linux/netfilter_ipv4/ipt_pool.h 2003-07-04 04:12:27.000000000 -0400 ++++ linux.stock/include/linux/netfilter_ipv4/ipt_pool.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,25 +0,0 @@ +-#ifndef _IPT_POOL_H +-#define _IPT_POOL_H +- +-#include <linux/netfilter_ipv4/ip_pool.h> +- +-#define IPT_POOL_INV_SRC 0x00000001 +-#define IPT_POOL_INV_DST 0x00000002 +-#define IPT_POOL_DEL_SRC 0x00000004 +-#define IPT_POOL_DEL_DST 0x00000008 +-#define IPT_POOL_INV_MOD_SRC 0x00000010 +-#define IPT_POOL_INV_MOD_DST 0x00000020 +-#define IPT_POOL_MOD_SRC_ACCEPT 0x00000040 +-#define IPT_POOL_MOD_DST_ACCEPT 0x00000080 +-#define IPT_POOL_MOD_SRC_DROP 0x00000100 +-#define IPT_POOL_MOD_DST_DROP 0x00000200 +- +-/* match info */ +-struct ipt_pool_info +-{ +- ip_pool_t src; +- ip_pool_t dst; +- unsigned flags; +-}; +- +-#endif /*_IPT_POOL_H*/ +diff -Nurb linux/net/ipv4/netfilter/Config.in linux.stock/net/ipv4/netfilter/Config.in +--- linux/net/ipv4/netfilter/Config.in 2004-02-19 06:04:35.000000000 -0500 ++++ linux.stock/net/ipv4/netfilter/Config.in 2004-05-09 04:13:03.000000000 -0400 +@@ -7,12 +7,7 @@ + tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK + if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then + dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK +- dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK +- dep_tristate ' H.323 (netmeeting) support' CONFIG_IP_NF_H323 $CONFIG_IP_NF_CONNTRACK + dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK +- dep_tristate ' MMS protocol support' CONFIG_IP_NF_MMS $CONFIG_IP_NF_CONNTRACK +- dep_tristate ' GRE protocol support' CONFIG_IP_NF_CT_PROTO_GRE $CONFIG_IP_NF_CONNTRACK +- dep_tristate ' PPTP protocol support' CONFIG_IP_NF_PPTP $CONFIG_IP_NF_CT_PROTO_GRE + fi + + if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then +@@ -22,19 +17,11 @@ + if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then + # The simple matches. + dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES +- +- dep_tristate ' IP address pool support' CONFIG_IP_NF_POOL $CONFIG_IP_NF_IPTABLES +- if [ "$CONFIG_IP_NF_POOL" = "y" -o "$CONFIG_IP_NF_POOL" = "m" ]; then +- bool ' enable statistics on pool usage' CONFIG_IP_POOL_STATISTICS n +- fi +- + dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES + dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES + dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES + dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES +- dep_tristate ' Multiple port with ranges match support' CONFIG_IP_NF_MATCH_MPORT $CONFIG_IP_NF_IPTABLES + dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES +- dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES + dep_tristate ' ECN match support' CONFIG_IP_NF_MATCH_ECN $CONFIG_IP_NF_IPTABLES + + dep_tristate ' DSCP match support' CONFIG_IP_NF_MATCH_DSCP $CONFIG_IP_NF_IPTABLES +@@ -52,7 +39,6 @@ + fi + if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then + dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES +- dep_tristate ' Webstr match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_WEBSTR $CONFIG_IP_NF_IPTABLES + dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES + fi + # The targets +@@ -70,29 +56,6 @@ + define_bool CONFIG_IP_NF_NAT_NEEDED y + dep_tristate ' MASQUERADE target support' CONFIG_IP_NF_TARGET_MASQUERADE $CONFIG_IP_NF_NAT + dep_tristate ' REDIRECT target support' CONFIG_IP_NF_TARGET_REDIRECT $CONFIG_IP_NF_NAT +- dep_tristate ' Automatic port forwarding (autofw) target support' CONFIG_IP_NF_AUTOFW $CONFIG_IP_NF_NAT +- dep_tristate ' TRIGGER target support (port-trigger)' CONFIG_IP_NF_TARGET_TRIGGER $CONFIG_IP_NF_NAT +- if [ "$CONFIG_IP_NF_H323" = "m" ]; then +- define_tristate CONFIG_IP_NF_NAT_H323 m +- else +- if [ "$CONFIG_IP_NF_H323" = "y" ]; then +- define_tristate CONFIG_IP_NF_NAT_H323 $CONFIG_IP_NF_NAT +- fi +- fi +- if [ "$CONFIG_IP_NF_PPTP" = "m" ]; then +- define_tristate CONFIG_IP_NF_NAT_PPTP m +- else +- if [ "$CONFIG_IP_NF_PPTP" = "y" ]; then +- define_tristate CONFIG_IP_NF_NAT_PPTP $CONFIG_IP_NF_NAT +- fi +- fi +- if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "m" ]; then +- define_tristate CONFIG_IP_NF_NAT_PROTO_GRE m +- else +- if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "y" ]; then +- define_tristate CONFIG_IP_NF_NAT_PROTO_GRE $CONFIG_IP_NF_NAT +- fi +- fi + bool ' NAT of local connections (READ HELP)' CONFIG_IP_NF_NAT_LOCAL + if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then + dep_tristate ' Basic SNMP-ALG support (EXPERIMENTAL)' CONFIG_IP_NF_NAT_SNMP_BASIC $CONFIG_IP_NF_NAT +@@ -104,13 +67,6 @@ + define_tristate CONFIG_IP_NF_NAT_IRC $CONFIG_IP_NF_NAT + fi + fi +- if [ "$CONFIG_IP_NF_MMS" = "m" ]; then +- define_tristate CONFIG_IP_NF_NAT_MMS m +- else +- if [ "$CONFIG_IP_NF_MMS" = "y" ]; then +- define_tristate CONFIG_IP_NF_NAT_MMS $CONFIG_IP_NF_NAT +- fi +- fi + # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), + # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh. + if [ "$CONFIG_IP_NF_FTP" = "m" ]; then +@@ -120,13 +76,6 @@ + define_tristate CONFIG_IP_NF_NAT_FTP $CONFIG_IP_NF_NAT + fi + fi +- if [ "$CONFIG_IP_NF_TFTP" = "m" ]; then +- define_tristate CONFIG_IP_NF_NAT_TFTP m +- else +- if [ "$CONFIG_IP_NF_TFTP" = "y" ]; then +- define_tristate CONFIG_IP_NF_NAT_TFTP $CONFIG_IP_NF_NAT +- fi +- fi + fi + fi + +diff -Nurb linux/net/ipv4/netfilter/Makefile linux.stock/net/ipv4/netfilter/Makefile +--- linux/net/ipv4/netfilter/Makefile 2004-02-19 06:04:35.000000000 -0500 ++++ linux.stock/net/ipv4/netfilter/Makefile 2004-05-09 04:13:03.000000000 -0400 +@@ -31,48 +31,20 @@ + # connection tracking + obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o + +-# H.323 support +-obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o +-obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o +-ifdef CONFIG_IP_NF_NAT_H323 +- export-objs += ip_conntrack_h323.o +-endif +- +- +-# connection tracking protocol helpers +-obj-$(CONFIG_IP_NF_CT_PROTO_GRE) += ip_conntrack_proto_gre.o +-ifdef CONFIG_IP_NF_CT_PROTO_GRE +- export-objs += ip_conntrack_proto_gre.o +-endif +- +-# NAT protocol helpers +-obj-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre.o +- + # connection tracking helpers +-obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o +-ifdef CONFIG_IP_NF_NAT_MMS +- export-objs += ip_conntrack_mms.o +-endif +-obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o +-ifdef CONFIG_IP_NF_NAT_PPTP +- export-objs += ip_conntrack_pptp.o +-endif +-obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o + obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o + ifdef CONFIG_IP_NF_NAT_FTP + export-objs += ip_conntrack_ftp.o + endif ++ + obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o + ifdef CONFIG_IP_NF_NAT_IRC + export-objs += ip_conntrack_irc.o + endif + + # NAT helpers +-obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o +-obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o + obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o + obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o +-obj-$(CONFIG_IP_NF_NAT_MMS) += ip_nat_mms.o + + # generic IP tables + obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o +@@ -86,19 +58,12 @@ + obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o + obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o + obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o +-obj-$(CONFIG_IP_NF_POOL) += ipt_pool.o ip_pool.o + obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o + + obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o + obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o +- +-obj-$(CONFIG_IP_NF_MATCH_MPORT) += ipt_mport.o +- + obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o + obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o +- +-obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o +- + obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o + obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o + obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o +@@ -109,7 +74,6 @@ + obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o + obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o + obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o +-obj-$(CONFIG_IP_NF_MATCH_WEBSTR) += ipt_webstr.o + obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o + + # targets +@@ -125,8 +89,6 @@ + obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o + obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o + obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o +-obj-$(CONFIG_IP_NF_AUTOFW) += ip_autofw.o +-obj-$(CONFIG_IP_NF_TARGET_TRIGGER) += ipt_TRIGGER.o + + # generic ARP tables + obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_core.c linux.stock/net/ipv4/netfilter/ip_conntrack_core.c +--- linux/net/ipv4/netfilter/ip_conntrack_core.c 2003-08-12 07:33:45.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_core.c 2004-05-09 04:13:03.000000000 -0400 +@@ -47,7 +47,11 @@ + + #define IP_CONNTRACK_VERSION "2.1" + ++#if 0 ++#define DEBUGP printk ++#else + #define DEBUGP(format, args...) ++#endif + + DECLARE_RWLOCK(ip_conntrack_lock); + DECLARE_RWLOCK(ip_conntrack_expect_tuple_lock); +@@ -62,29 +66,6 @@ + struct list_head *ip_conntrack_hash; + static kmem_cache_t *ip_conntrack_cachep; + +-#define SECS * HZ +-#define MINS * 60 SECS +-#define HOURS * 60 MINS +-#define DAYS * 24 HOURS +- +-int sysctl_ip_conntrack_tcp_timeouts[10] = { +- 30 MINS, /* TCP_CONNTRACK_NONE, */ +- 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */ +- 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */ +- 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */ +- 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */ +- 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */ +- 10 SECS, /* TCP_CONNTRACK_CLOSE, */ +- 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */ +- 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */ +- 2 MINS, /* TCP_CONNTRACK_LISTEN, */ +-}; +- +-int sysctl_ip_conntrack_udp_timeouts[2] = { +- 30 SECS, /* UNREPLIED */ +- 180 SECS /* ASSURED */ +-}; +- + extern struct ip_conntrack_protocol ip_conntrack_generic_protocol; + + static inline int proto_cmpfn(const struct ip_conntrack_protocol *curr, +@@ -129,6 +110,9 @@ + static inline u_int32_t + hash_conntrack(const struct ip_conntrack_tuple *tuple) + { ++#if 0 ++ dump_tuple(tuple); ++#endif + /* ntohl because more differences in low bits. */ + /* To ensure that halves of the same connection don't hash + clash, we add the source per-proto again. */ +@@ -160,8 +144,6 @@ + tuple->dst.ip = iph->daddr; + tuple->dst.protonum = iph->protocol; + +- tuple->src.u.all = tuple->dst.u.all = 0; +- + ret = protocol->pkt_to_tuple((u_int32_t *)iph + iph->ihl, + len - 4*iph->ihl, + tuple); +@@ -177,8 +159,6 @@ + inverse->dst.ip = orig->src.ip; + inverse->dst.protonum = orig->dst.protonum; + +- inverse->src.u.all = inverse->dst.u.all = 0; +- + return protocol->invert_tuple(inverse, orig); + } + +@@ -196,8 +176,8 @@ + static void + destroy_expect(struct ip_conntrack_expect *exp) + { +- DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(&exp->use)); +- IP_NF_ASSERT(atomic_read(&exp->use)); ++ DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(exp->use)); ++ IP_NF_ASSERT(atomic_read(exp->use)); + IP_NF_ASSERT(!timer_pending(&exp->timeout)); + + kfree(exp); +@@ -267,11 +247,11 @@ + static void unexpect_related(struct ip_conntrack_expect *expect) + { + IP_NF_ASSERT(expect->expectant); ++ IP_NF_ASSERT(expect->expectant->helper); + /* if we are supposed to have a timer, but we can't delete + * it: race condition. __unexpect_related will + * be calledd by timeout function */ +- if (expect->expectant->helper +- && expect->expectant->helper->timeout ++ if (expect->expectant->helper->timeout + && !del_timer(&expect->timeout)) + return; + +@@ -580,6 +560,7 @@ + if (!h) { + /* Locally generated ICMPs will match inverted if they + haven't been SNAT'ed yet */ ++ /* FIXME: NAT code has to handle half-done double NAT --RR */ + if (hooknum == NF_IP_LOCAL_OUT) + h = ip_conntrack_find_get(&origtuple, NULL); + +@@ -725,7 +706,6 @@ + + /* If the expectation is dying, then this is a looser. */ + if (expected +- && expected->expectant->helper + && expected->expectant->helper->timeout + && ! del_timer(&expected->timeout)) + expected = NULL; +@@ -744,7 +724,6 @@ + conntrack->master = expected; + expected->sibling = conntrack; + LIST_DELETE(&ip_conntrack_expect_list, expected); +- INIT_LIST_HEAD(&expected->list); + expected->expectant->expecting--; + nf_conntrack_get(&master_ct(conntrack)->infos[0]); + } +@@ -821,9 +800,23 @@ + int set_reply; + int ret; + ++ /* FIXME: Do this right please. --RR */ + (*pskb)->nfcache |= NFC_UNKNOWN; + + /* Doesn't cover locally-generated broadcast, so not worth it. */ ++#if 0 ++ /* Ignore broadcast: no `connection'. */ ++ if ((*pskb)->pkt_type == PACKET_BROADCAST) { ++ printk("Broadcast packet!\n"); ++ return NF_ACCEPT; ++ } else if (((*pskb)->nh.iph->daddr & htonl(0x000000FF)) ++ == htonl(0x000000FF)) { ++ printk("Should bcast: %u.%u.%u.%u->%u.%u.%u.%u (sk=%p, ptype=%u)\n", ++ NIPQUAD((*pskb)->nh.iph->saddr), ++ NIPQUAD((*pskb)->nh.iph->daddr), ++ (*pskb)->sk, (*pskb)->pkt_type); ++ } ++#endif + + /* Previously seen (loopback)? Ignore. Do this before + fragment check. */ +@@ -943,8 +936,8 @@ + * so there is no need to use the tuple lock too */ + + DEBUGP("ip_conntrack_expect_related %p\n", related_to); +- DEBUGP("tuple: "); DUMP_TUPLE_RAW(&expect->tuple); +- DEBUGP("mask: "); DUMP_TUPLE_RAW(&expect->mask); ++ DEBUGP("tuple: "); DUMP_TUPLE(&expect->tuple); ++ DEBUGP("mask: "); DUMP_TUPLE(&expect->mask); + + old = LIST_FIND(&ip_conntrack_expect_list, resent_expect, + struct ip_conntrack_expect *, &expect->tuple, +@@ -954,8 +947,7 @@ + pointing into the payload - otherwise we should have to copy + the data filled out by the helper over the old one */ + DEBUGP("expect_related: resent packet\n"); +- if (related_to->helper && +- related_to->helper->timeout) { ++ if (related_to->helper->timeout) { + if (!del_timer(&old->timeout)) { + /* expectation is dying. Fall through */ + old = NULL; +@@ -970,32 +962,26 @@ + WRITE_UNLOCK(&ip_conntrack_lock); + return -EEXIST; + } +- } else if (related_to->helper && +- related_to->helper->max_expected && ++ } else if (related_to->helper->max_expected && + related_to->expecting >= related_to->helper->max_expected) { + struct list_head *cur_item; + /* old == NULL */ +- if (!(related_to->helper->flags & +- IP_CT_HELPER_F_REUSE_EXPECT)) { +- WRITE_UNLOCK(&ip_conntrack_lock); + if (net_ratelimit()) + printk(KERN_WARNING + "ip_conntrack: max number of expected " + "connections %i of %s reached for " +- "%u.%u.%u.%u->%u.%u.%u.%u\n", ++ "%u.%u.%u.%u->%u.%u.%u.%u%s\n", + related_to->helper->max_expected, + related_to->helper->name, + NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip), +- NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip)); ++ NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip), ++ related_to->helper->flags & IP_CT_HELPER_F_REUSE_EXPECT ? ++ ", reusing" : ""); ++ if (!(related_to->helper->flags & ++ IP_CT_HELPER_F_REUSE_EXPECT)) { ++ WRITE_UNLOCK(&ip_conntrack_lock); + return -EPERM; + } +- DEBUGP("ip_conntrack: max number of expected " +- "connections %i of %s reached for " +- "%u.%u.%u.%u->%u.%u.%u.%u, reusing\n", +- related_to->helper->max_expected, +- related_to->helper->name, +- NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip), +- NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip)); + + /* choose the the oldest expectation to evict */ + list_for_each(cur_item, &related_to->sibling_list) { +@@ -1055,8 +1041,7 @@ + /* add to global list of expectations */ + list_prepend(&ip_conntrack_expect_list, &new->list); + /* add and start timer if required */ +- if (related_to->helper && +- related_to->helper->timeout) { ++ if (related_to->helper->timeout) { + init_timer(&new->timeout); + new->timeout.data = (unsigned long)new; + new->timeout.function = expectation_timed_out; +@@ -1079,10 +1064,11 @@ + + MUST_BE_READ_LOCKED(&ip_conntrack_lock); + WRITE_LOCK(&ip_conntrack_expect_tuple_lock); ++ + DEBUGP("change_expect:\n"); +- DEBUGP("exp tuple: "); DUMP_TUPLE_RAW(&expect->tuple); +- DEBUGP("exp mask: "); DUMP_TUPLE_RAW(&expect->mask); +- DEBUGP("newtuple: "); DUMP_TUPLE_RAW(newtuple); ++ DEBUGP("exp tuple: "); DUMP_TUPLE(&expect->tuple); ++ DEBUGP("exp mask: "); DUMP_TUPLE(&expect->mask); ++ DEBUGP("newtuple: "); DUMP_TUPLE(newtuple); + if (expect->ct_tuple.dst.protonum == 0) { + /* Never seen before */ + DEBUGP("change expect: never seen before\n"); +@@ -1360,8 +1346,6 @@ + 0, NULL }; + + #define NET_IP_CONNTRACK_MAX 2089 +-#define NET_IP_CONNTRACK_TCP_TIMEOUTS 2090 +-#define NET_IP_CONNTRACK_UDP_TIMEOUTS 2091 + #define NET_IP_CONNTRACK_MAX_NAME "ip_conntrack_max" + + #ifdef CONFIG_SYSCTL +@@ -1370,14 +1354,6 @@ + static ctl_table ip_conntrack_table[] = { + { NET_IP_CONNTRACK_MAX, NET_IP_CONNTRACK_MAX_NAME, &ip_conntrack_max, + sizeof(ip_conntrack_max), 0644, NULL, proc_dointvec }, +- { NET_IP_CONNTRACK_TCP_TIMEOUTS, "ip_conntrack_tcp_timeouts", +- &sysctl_ip_conntrack_tcp_timeouts, +- sizeof(sysctl_ip_conntrack_tcp_timeouts), +- 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies }, +- { NET_IP_CONNTRACK_UDP_TIMEOUTS, "ip_conntrack_udp_timeouts", +- &sysctl_ip_conntrack_udp_timeouts, +- sizeof(sysctl_ip_conntrack_udp_timeouts), +- 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies }, + { 0 } + }; + +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_ftp.c linux.stock/net/ipv4/netfilter/ip_conntrack_ftp.c +--- linux/net/ipv4/netfilter/ip_conntrack_ftp.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_ftp.c 2004-05-09 04:13:03.000000000 -0400 +@@ -24,7 +24,11 @@ + static int loose = 0; + MODULE_PARM(loose, "i"); + ++#if 0 ++#define DEBUGP printk ++#else + #define DEBUGP(format, args...) ++#endif + + static int try_rfc959(const char *, size_t, u_int32_t [], char); + static int try_eprt(const char *, size_t, u_int32_t [], char); +@@ -191,6 +195,16 @@ + } + + if (strnicmp(data, pattern, plen) != 0) { ++#if 0 ++ size_t i; ++ ++ DEBUGP("ftp: string mismatch\n"); ++ for (i = 0; i < plen; i++) { ++ DEBUGFTP("ftp:char %u `%c'(%u) vs `%c'(%u)\n", ++ i, data[i], data[i], ++ pattern[i], pattern[i]); ++ } ++#endif + return 0; + } + +@@ -214,6 +228,7 @@ + return 1; + } + ++/* FIXME: This should be in userspace. Later. */ + static int help(const struct iphdr *iph, size_t len, + struct ip_conntrack *ct, + enum ip_conntrack_info ctinfo) +@@ -249,6 +264,7 @@ + } + + /* Checksum invalid? Ignore. */ ++ /* FIXME: Source route IP option packets --RR */ + if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, + csum_partial((char *)tcph, tcplen, 0))) { + DEBUGP("ftp_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_h323.c linux.stock/net/ipv4/netfilter/ip_conntrack_h323.c +--- linux/net/ipv4/netfilter/ip_conntrack_h323.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_h323.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,302 +0,0 @@ +-/* +- * H.323 'brute force' extension for H.323 connection tracking. +- * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> +- * +- * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project. +- * (http://www.coritel.it/projects/sofia/nat/) +- * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind' +- * the unregistered helpers to the conntrack entries. +- */ +- +- +-#include <linux/module.h> +-#include <linux/netfilter.h> +-#include <linux/ip.h> +-#include <net/checksum.h> +-#include <net/tcp.h> +- +-#include <linux/netfilter_ipv4/lockhelp.h> +-#include <linux/netfilter_ipv4/ip_conntrack.h> +-#include <linux/netfilter_ipv4/ip_conntrack_core.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +-#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> +-#include <linux/netfilter_ipv4/ip_conntrack_h323.h> +- +-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); +-MODULE_DESCRIPTION("H.323 'brute force' connection tracking module"); +-MODULE_LICENSE("GPL"); +- +-DECLARE_LOCK(ip_h323_lock); +-struct module *ip_conntrack_h323 = THIS_MODULE; +- +-#define DEBUGP(format, args...) +- +-static int h245_help(const struct iphdr *iph, size_t len, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo) +-{ +- struct tcphdr *tcph = (void *)iph + iph->ihl * 4; +- unsigned char *data = (unsigned char *) tcph + tcph->doff * 4; +- unsigned char *data_limit; +- u_int32_t tcplen = len - iph->ihl * 4; +- u_int32_t datalen = tcplen - tcph->doff * 4; +- int dir = CTINFO2DIR(ctinfo); +- struct ip_ct_h225_master *info = &ct->help.ct_h225_info; +- struct ip_conntrack_expect expect, *exp = &expect; +- struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info; +- u_int16_t data_port; +- u_int32_t data_ip; +- unsigned int i; +- +- DEBUGP("ct_h245_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", +- NIPQUAD(iph->saddr), ntohs(tcph->source), +- NIPQUAD(iph->daddr), ntohs(tcph->dest)); +- +- /* Can't track connections formed before we registered */ +- if (!info) +- return NF_ACCEPT; +- +- /* Until there's been traffic both ways, don't look in packets. */ +- if (ctinfo != IP_CT_ESTABLISHED +- && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { +- DEBUGP("ct_h245_help: Conntrackinfo = %u\n", ctinfo); +- return NF_ACCEPT; +- } +- +- /* Not whole TCP header or too short packet? */ +- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) { +- DEBUGP("ct_h245_help: tcplen = %u\n", (unsigned)tcplen); +- return NF_ACCEPT; +- } +- +- /* Checksum invalid? Ignore. */ +- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, +- csum_partial((char *)tcph, tcplen, 0))) { +- DEBUGP("ct_h245_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", +- tcph, tcplen, NIPQUAD(iph->saddr), +- NIPQUAD(iph->daddr)); +- return NF_ACCEPT; +- } +- +- data_limit = (unsigned char *) data + datalen; +- /* bytes: 0123 45 +- ipadrr port */ +- for (i = 0; data < (data_limit - 5); data++, i++) { +- memcpy(&data_ip, data, sizeof(u_int32_t)); +- if (data_ip == iph->saddr) { +- memcpy(&data_port, data + 4, sizeof(u_int16_t)); +- memset(&expect, 0, sizeof(expect)); +- /* update the H.225 info */ +- DEBUGP("ct_h245_help: new RTCP/RTP requested %u.%u.%u.%u:->%u.%u.%u.%u:%u\n", +- NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), +- NIPQUAD(iph->saddr), ntohs(data_port)); +- LOCK_BH(&ip_h323_lock); +- info->is_h225 = H225_PORT + 1; +- exp_info->port = data_port; +- exp_info->dir = dir; +- exp_info->offset = i; +- +- exp->seq = ntohl(tcph->seq) + i; +- +- exp->tuple = ((struct ip_conntrack_tuple) +- { { ct->tuplehash[!dir].tuple.src.ip, +- { 0 } }, +- { data_ip, +- { data_port }, +- IPPROTO_UDP }}); +- exp->mask = ((struct ip_conntrack_tuple) +- { { 0xFFFFFFFF, { 0 } }, +- { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }}); +- +- exp->expectfn = NULL; +- +- /* Ignore failure; should only happen with NAT */ +- ip_conntrack_expect_related(ct, exp); +- +- UNLOCK_BH(&ip_h323_lock); +- } +- } +- +- return NF_ACCEPT; +- +-} +- +-/* H.245 helper is not registered! */ +-static struct ip_conntrack_helper h245 = +- { { NULL, NULL }, +- "H.245", /* name */ +- IP_CT_HELPER_F_REUSE_EXPECT, /* flags */ +- NULL, /* module */ +- 8, /* max_ expected */ +- 240, /* timeout */ +- { { 0, { 0 } }, /* tuple */ +- { 0, { 0 }, IPPROTO_TCP } }, +- { { 0, { 0xFFFF } }, /* mask */ +- { 0, { 0 }, 0xFFFF } }, +- h245_help /* helper */ +- }; +- +-static int h225_expect(struct ip_conntrack *ct) +-{ +- WRITE_LOCK(&ip_conntrack_lock); +- ct->helper = &h245; +- DEBUGP("h225_expect: helper for %p added\n", ct); +- WRITE_UNLOCK(&ip_conntrack_lock); +- +- return NF_ACCEPT; /* unused */ +-} +- +-static int h225_help(const struct iphdr *iph, size_t len, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo) +-{ +- struct tcphdr *tcph = (void *)iph + iph->ihl * 4; +- unsigned char *data = (unsigned char *) tcph + tcph->doff * 4; +- unsigned char *data_limit; +- u_int32_t tcplen = len - iph->ihl * 4; +- u_int32_t datalen = tcplen - tcph->doff * 4; +- int dir = CTINFO2DIR(ctinfo); +- struct ip_ct_h225_master *info = &ct->help.ct_h225_info; +- struct ip_conntrack_expect expect, *exp = &expect; +- struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info; +- u_int16_t data_port; +- u_int32_t data_ip; +- unsigned int i; +- +- DEBUGP("ct_h225_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", +- NIPQUAD(iph->saddr), ntohs(tcph->source), +- NIPQUAD(iph->daddr), ntohs(tcph->dest)); +- +- /* Can't track connections formed before we registered */ +- if (!info) +- return NF_ACCEPT; +- +- /* Until there's been traffic both ways, don't look in packets. */ +- if (ctinfo != IP_CT_ESTABLISHED +- && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { +- DEBUGP("ct_h225_help: Conntrackinfo = %u\n", ctinfo); +- return NF_ACCEPT; +- } +- +- /* Not whole TCP header or too short packet? */ +- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) { +- DEBUGP("ct_h225_help: tcplen = %u\n", (unsigned)tcplen); +- return NF_ACCEPT; +- } +- +- /* Checksum invalid? Ignore. */ +- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, +- csum_partial((char *)tcph, tcplen, 0))) { +- DEBUGP("ct_h225_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", +- tcph, tcplen, NIPQUAD(iph->saddr), +- NIPQUAD(iph->daddr)); +- return NF_ACCEPT; +- } +- +- data_limit = (unsigned char *) data + datalen; +- /* bytes: 0123 45 +- ipadrr port */ +- for (i = 0; data < (data_limit - 5); data++, i++) { +- memcpy(&data_ip, data, sizeof(u_int32_t)); +- if (data_ip == iph->saddr) { +- memcpy(&data_port, data + 4, sizeof(u_int16_t)); +- if (data_port == tcph->source) { +- /* Signal address */ +- DEBUGP("ct_h225_help: sourceCallSignalAddress from %u.%u.%u.%u\n", +- NIPQUAD(iph->saddr)); +- /* Update the H.225 info so that NAT can mangle the address/port +- even when we have no expected connection! */ +-#ifdef CONFIG_IP_NF_NAT_NEEDED +- LOCK_BH(&ip_h323_lock); +- info->dir = dir; +- info->seq[IP_CT_DIR_ORIGINAL] = ntohl(tcph->seq) + i; +- info->offset[IP_CT_DIR_ORIGINAL] = i; +- UNLOCK_BH(&ip_h323_lock); +-#endif +- } else { +- memset(&expect, 0, sizeof(expect)); +- +- /* update the H.225 info */ +- LOCK_BH(&ip_h323_lock); +- info->is_h225 = H225_PORT; +- exp_info->port = data_port; +- exp_info->dir = dir; +- exp_info->offset = i; +- +- exp->seq = ntohl(tcph->seq) + i; +- +- exp->tuple = ((struct ip_conntrack_tuple) +- { { ct->tuplehash[!dir].tuple.src.ip, +- { 0 } }, +- { data_ip, +- { data_port }, +- IPPROTO_TCP }}); +- exp->mask = ((struct ip_conntrack_tuple) +- { { 0xFFFFFFFF, { 0 } }, +- { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }}); +- +- exp->expectfn = h225_expect; +- +- /* Ignore failure */ +- ip_conntrack_expect_related(ct, exp); +- +- DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n", +- NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), +- NIPQUAD(iph->saddr), ntohs(data_port)); +- +- UNLOCK_BH(&ip_h323_lock); +- } +-#ifdef CONFIG_IP_NF_NAT_NEEDED +- } else if (data_ip == iph->daddr) { +- memcpy(&data_port, data + 4, sizeof(u_int16_t)); +- if (data_port == tcph->dest) { +- /* Signal address */ +- DEBUGP("ct_h225_help: destCallSignalAddress %u.%u.%u.%u\n", +- NIPQUAD(iph->daddr)); +- /* Update the H.225 info so that NAT can mangle the address/port +- even when we have no expected connection! */ +- LOCK_BH(&ip_h323_lock); +- info->dir = dir; +- info->seq[IP_CT_DIR_REPLY] = ntohl(tcph->seq) + i; +- info->offset[IP_CT_DIR_REPLY] = i; +- UNLOCK_BH(&ip_h323_lock); +- } +-#endif +- } +- } +- +- return NF_ACCEPT; +- +-} +- +-static struct ip_conntrack_helper h225 = +- { { NULL, NULL }, +- "H.225", /* name */ +- IP_CT_HELPER_F_REUSE_EXPECT, /* flags */ +- THIS_MODULE, /* module */ +- 2, /* max_expected */ +- 240, /* timeout */ +- { { 0, { __constant_htons(H225_PORT) } }, /* tuple */ +- { 0, { 0 }, IPPROTO_TCP } }, +- { { 0, { 0xFFFF } }, /* mask */ +- { 0, { 0 }, 0xFFFF } }, +- h225_help /* helper */ +- }; +- +-static int __init init(void) +-{ +- return ip_conntrack_helper_register(&h225); +-} +- +-static void __exit fini(void) +-{ +- /* Unregister H.225 helper */ +- ip_conntrack_helper_unregister(&h225); +-} +- +-#ifdef CONFIG_IP_NF_NAT_NEEDED +-EXPORT_SYMBOL(ip_h323_lock); +-#endif +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_mms.c linux.stock/net/ipv4/netfilter/ip_conntrack_mms.c +--- linux/net/ipv4/netfilter/ip_conntrack_mms.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_mms.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,292 +0,0 @@ +-/* MMS extension for IP connection tracking +- * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be> +- * based on ip_conntrack_ftp.c and ip_conntrack_irc.c +- * +- * ip_conntrack_mms.c v0.3 2002-09-22 +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version +- * 2 of the License, or (at your option) any later version. +- * +- * Module load syntax: +- * insmod ip_conntrack_mms.o ports=port1,port2,...port<MAX_PORTS> +- * +- * Please give the ports of all MMS servers You wish to connect to. +- * If you don't specify ports, the default will be TCP port 1755. +- * +- * More info on MMS protocol, firewalls and NAT: +- * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp +- * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp +- * +- * The SDP project people are reverse-engineering MMS: +- * http://get.to/sdp +- */ +- +-#include <linux/config.h> +-#include <linux/module.h> +-#include <linux/netfilter.h> +-#include <linux/ip.h> +-#include <linux/ctype.h> +-#include <net/checksum.h> +-#include <net/tcp.h> +- +-#include <linux/netfilter_ipv4/lockhelp.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +-#include <linux/netfilter_ipv4/ip_conntrack_mms.h> +- +-DECLARE_LOCK(ip_mms_lock); +-struct module *ip_conntrack_mms = THIS_MODULE; +- +-#define MAX_PORTS 8 +-static int ports[MAX_PORTS]; +-static int ports_c; +-#ifdef MODULE_PARM +-MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); +-#endif +- +-#define DEBUGP(format, args...) +- +-#ifdef CONFIG_IP_NF_NAT_NEEDED +-EXPORT_SYMBOL(ip_mms_lock); +-#endif +- +-MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>"); +-MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) connection tracking module"); +-MODULE_LICENSE("GPL"); +- +-/* #define isdigit(c) (c >= '0' && c <= '9') */ +- +-/* copied from drivers/usb/serial/io_edgeport.c - not perfect but will do the trick */ +-static void unicode_to_ascii (char *string, short *unicode, int unicode_size) +-{ +- int i; +- for (i = 0; i < unicode_size; ++i) { +- string[i] = (char)(unicode[i]); +- } +- string[unicode_size] = 0x00; +-} +- +-__inline static int atoi(char *s) +-{ +- int i=0; +- while (isdigit(*s)) { +- i = i*10 + *(s++) - '0'; +- } +- return i; +-} +- +-/* convert ip address string like "192.168.0.10" to unsigned int */ +-__inline static u_int32_t asciiiptoi(char *s) +-{ +- unsigned int i, j, k; +- +- for(i=k=0; k<3; ++k, ++s, i<<=8) { +- i+=atoi(s); +- for(j=0; (*(++s) != '.') && (j<3); ++j) +- ; +- } +- i+=atoi(s); +- return ntohl(i); +-} +- +-int parse_mms(const char *data, +- const unsigned int datalen, +- u_int32_t *mms_ip, +- u_int16_t *mms_proto, +- u_int16_t *mms_port, +- char **mms_string_b, +- char **mms_string_e, +- char **mms_padding_e) +-{ +- int unicode_size, i; +- char tempstring[28]; /* "\\255.255.255.255\UDP\65535" */ +- char getlengthstring[28]; +- +- for(unicode_size=0; +- (char) *(data+(MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2)) != (char)0; +- unicode_size++) +- if ((unicode_size == 28) || (MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2 >= datalen)) +- return -1; /* out of bounds - incomplete packet */ +- +- unicode_to_ascii(tempstring, (short *)(data+MMS_SRV_UNICODE_STRING_OFFSET), unicode_size); +- DEBUGP("ip_conntrack_mms: offset 60: %s\n", (const char *)(tempstring)); +- +- /* IP address ? */ +- *mms_ip = asciiiptoi(tempstring+2); +- +- i=sprintf(getlengthstring, "%u.%u.%u.%u", HIPQUAD(*mms_ip)); +- +- /* protocol ? */ +- if(strncmp(tempstring+3+i, "TCP", 3)==0) +- *mms_proto = IPPROTO_TCP; +- else if(strncmp(tempstring+3+i, "UDP", 3)==0) +- *mms_proto = IPPROTO_UDP; +- +- /* port ? */ +- *mms_port = atoi(tempstring+7+i); +- +- /* we store a pointer to the beginning of the "\\a.b.c.d\proto\port" +- unicode string, one to the end of the string, and one to the end +- of the packet, since we must keep track of the number of bytes +- between end of the unicode string and the end of packet (padding) */ +- *mms_string_b = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET); +- *mms_string_e = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET + unicode_size * 2); +- *mms_padding_e = (char *)(data + datalen); /* looks funny, doesn't it */ +- return 0; +-} +- +- +-static int help(const struct iphdr *iph, size_t len, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo) +-{ +- /* tcplen not negative guaranteed by ip_conntrack_tcp.c */ +- struct tcphdr *tcph = (void *)iph + iph->ihl * 4; +- const char *data = (const char *)tcph + tcph->doff * 4; +- unsigned int tcplen = len - iph->ihl * 4; +- unsigned int datalen = tcplen - tcph->doff * 4; +- int dir = CTINFO2DIR(ctinfo); +- struct ip_conntrack_expect expect, *exp = &expect; +- struct ip_ct_mms_expect *exp_mms_info = &exp->help.exp_mms_info; +- +- u_int32_t mms_ip; +- u_int16_t mms_proto; +- char mms_proto_string[8]; +- u_int16_t mms_port; +- char *mms_string_b, *mms_string_e, *mms_padding_e; +- +- /* Until there's been traffic both ways, don't look in packets. */ +- if (ctinfo != IP_CT_ESTABLISHED +- && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) { +- DEBUGP("ip_conntrack_mms: Conntrackinfo = %u\n", ctinfo); +- return NF_ACCEPT; +- } +- +- /* Not whole TCP header? */ +- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) { +- DEBUGP("ip_conntrack_mms: tcplen = %u\n", (unsigned)tcplen); +- return NF_ACCEPT; +- } +- +- /* Checksum invalid? Ignore. */ +- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, +- csum_partial((char *)tcph, tcplen, 0))) { +- DEBUGP("mms_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", +- tcph, tcplen, NIPQUAD(iph->saddr), +- NIPQUAD(iph->daddr)); +- return NF_ACCEPT; +- } +- +- /* Only look at packets with 0x00030002/196610 on bytes 36->39 of TCP payload */ +- if( (MMS_SRV_MSG_OFFSET < datalen) && +- ((*(u32 *)(data+MMS_SRV_MSG_OFFSET)) == MMS_SRV_MSG_ID)) { +- DEBUGP("ip_conntrack_mms: offset 37: %u %u %u %u, datalen:%u\n", +- (u8)*(data+36), (u8)*(data+37), +- (u8)*(data+38), (u8)*(data+39), +- datalen); +- if(parse_mms(data, datalen, &mms_ip, &mms_proto, &mms_port, +- &mms_string_b, &mms_string_e, &mms_padding_e)) +- if(net_ratelimit()) +- printk(KERN_WARNING +- "ip_conntrack_mms: Unable to parse data payload\n"); +- +- memset(&expect, 0, sizeof(expect)); +- +- sprintf(mms_proto_string, "(%u)", mms_proto); +- DEBUGP("ip_conntrack_mms: adding %s expectation %u.%u.%u.%u -> %u.%u.%u.%u:%u\n", +- mms_proto == IPPROTO_TCP ? "TCP" +- : mms_proto == IPPROTO_UDP ? "UDP":mms_proto_string, +- NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), +- NIPQUAD(mms_ip), +- mms_port); +- +- /* it's possible that the client will just ask the server to tunnel +- the stream over the same TCP session (from port 1755): there's +- shouldn't be a need to add an expectation in that case, but it +- makes NAT packet mangling so much easier */ +- LOCK_BH(&ip_mms_lock); +- +- DEBUGP("ip_conntrack_mms: tcph->seq = %u\n", tcph->seq); +- +- exp->seq = ntohl(tcph->seq) + (mms_string_b - data); +- exp_mms_info->len = (mms_string_e - mms_string_b); +- exp_mms_info->padding = (mms_padding_e - mms_string_e); +- exp_mms_info->port = mms_port; +- +- DEBUGP("ip_conntrack_mms: wrote info seq=%u (ofs=%u), len=%d, padding=%u\n", +- exp->seq, (mms_string_e - data), exp_mms_info->len, exp_mms_info->padding); +- +- exp->tuple = ((struct ip_conntrack_tuple) +- { { ct->tuplehash[!dir].tuple.src.ip, { 0 } }, +- { mms_ip, +- { (__u16) ntohs(mms_port) }, +- mms_proto } } +- ); +- exp->mask = ((struct ip_conntrack_tuple) +- { { 0xFFFFFFFF, { 0 } }, +- { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }}); +- exp->expectfn = NULL; +- ip_conntrack_expect_related(ct, &expect); +- UNLOCK_BH(&ip_mms_lock); +- } +- +- return NF_ACCEPT; +-} +- +-static struct ip_conntrack_helper mms[MAX_PORTS]; +-static char mms_names[MAX_PORTS][10]; +- +-/* Not __exit: called from init() */ +-static void fini(void) +-{ +- int i; +- for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { +- DEBUGP("ip_conntrack_mms: unregistering helper for port %d\n", +- ports[i]); +- ip_conntrack_helper_unregister(&mms[i]); +- } +-} +- +-static int __init init(void) +-{ +- int i, ret; +- char *tmpname; +- +- if (ports[0] == 0) +- ports[0] = MMS_PORT; +- +- for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { +- memset(&mms[i], 0, sizeof(struct ip_conntrack_helper)); +- mms[i].tuple.src.u.tcp.port = htons(ports[i]); +- mms[i].tuple.dst.protonum = IPPROTO_TCP; +- mms[i].mask.src.u.tcp.port = 0xFFFF; +- mms[i].mask.dst.protonum = 0xFFFF; +- mms[i].max_expected = 1; +- mms[i].timeout = 0; +- mms[i].flags = IP_CT_HELPER_F_REUSE_EXPECT; +- mms[i].me = THIS_MODULE; +- mms[i].help = help; +- +- tmpname = &mms_names[i][0]; +- if (ports[i] == MMS_PORT) +- sprintf(tmpname, "mms"); +- else +- sprintf(tmpname, "mms-%d", ports[i]); +- mms[i].name = tmpname; +- +- DEBUGP("ip_conntrack_mms: registering helper for port %d\n", +- ports[i]); +- ret = ip_conntrack_helper_register(&mms[i]); +- +- if (ret) { +- fini(); +- return ret; +- } +- ports_c++; +- } +- return 0; +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_pptp.c linux.stock/net/ipv4/netfilter/ip_conntrack_pptp.c +--- linux/net/ipv4/netfilter/ip_conntrack_pptp.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_pptp.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,531 +0,0 @@ +-/* +- * ip_conntrack_pptp.c - Version 1.11 +- * +- * Connection tracking support for PPTP (Point to Point Tunneling Protocol). +- * PPTP is a a protocol for creating virtual private networks. +- * It is a specification defined by Microsoft and some vendors +- * working with Microsoft. PPTP is built on top of a modified +- * version of the Internet Generic Routing Encapsulation Protocol. +- * GRE is defined in RFC 1701 and RFC 1702. Documentation of +- * PPTP can be found in RFC 2637 +- * +- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>, +- * +- * Development of this code funded by Astaro AG (http://www.astaro.com/) +- * +- * Limitations: +- * - We blindly assume that control connections are always +- * established in PNS->PAC direction. This is a violation +- * of RFFC2673 +- * +- * TODO: - finish support for multiple calls within one session +- * (needs expect reservations in newnat) +- * - testing of incoming PPTP calls +- */ +- +-#include <linux/config.h> +-#include <linux/module.h> +-#include <linux/netfilter.h> +-#include <linux/ip.h> +-#include <net/checksum.h> +-#include <net/tcp.h> +- +-#include <linux/netfilter_ipv4/lockhelp.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h> +-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h> +- +-MODULE_LICENSE("GPL"); +-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); +-MODULE_DESCRIPTION("Netfilter connection tracking helper module for PPTP"); +- +-DECLARE_LOCK(ip_pptp_lock); +- +-#define DEBUGP(format, args...) +- +-#define SECS *HZ +-#define MINS * 60 SECS +-#define HOURS * 60 MINS +-#define DAYS * 24 HOURS +- +-#define PPTP_GRE_TIMEOUT (10 MINS) +-#define PPTP_GRE_STREAM_TIMEOUT (5 DAYS) +- +-static int pptp_expectfn(struct ip_conntrack *ct) +-{ +- struct ip_conntrack_expect *exp, *other_exp; +- struct ip_conntrack *master; +- +- DEBUGP("increasing timeouts\n"); +- /* increase timeout of GRE data channel conntrack entry */ +- ct->proto.gre.timeout = PPTP_GRE_TIMEOUT; +- ct->proto.gre.stream_timeout = PPTP_GRE_STREAM_TIMEOUT; +- +- master = master_ct(ct); +- if (!master) { +- DEBUGP(" no master!!!\n"); +- return 0; +- } +- +- DEBUGP("completing tuples with ct info\n"); +- /* we can do this, since we're unconfirmed */ +- if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.gre.key == +- htonl(master->help.ct_pptp_info.pac_call_id)) { +- /* assume PNS->PAC */ +- ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key = +- htonl(master->help.ct_pptp_info.pns_call_id); +- ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key = +- htonl(master->help.ct_pptp_info.pns_call_id); +- } else { +- /* assume PAC->PNS */ +- ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key = +- htonl(master->help.ct_pptp_info.pac_call_id); +- ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key = +- htonl(master->help.ct_pptp_info.pns_call_id); +- } +- +- return 0; +-} +- +-/* timeout GRE data connections */ +-static int pptp_timeout_related(struct ip_conntrack *ct) +-{ +- struct list_head *cur_item; +- struct ip_conntrack_expect *exp; +- +- list_for_each(cur_item, &ct->sibling_list) { +- exp = list_entry(cur_item, struct ip_conntrack_expect, +- expected_list); +- +- if (!exp->sibling) +- continue; +- +- DEBUGP("setting timeout of conntrack %p to 0\n", +- exp->sibling); +- exp->sibling->proto.gre.timeout = 0; +- exp->sibling->proto.gre.stream_timeout = 0; +- ip_ct_refresh(exp->sibling, 0); +- } +- +- return 0; +-} +- +-/* expect GRE connection in PNS->PAC direction */ +-static inline int +-exp_gre(struct ip_conntrack *master, +- u_int32_t seq, +- u_int16_t callid, +- u_int16_t peer_callid) +-{ +- struct ip_conntrack_expect exp; +- struct ip_conntrack_tuple inv_tuple; +- +- memset(&exp, 0, sizeof(exp)); +- /* tuple in original direction, PAC->PNS */ +- exp.tuple.src.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; +- exp.tuple.src.u.gre.key = htonl(ntohs(peer_callid)); +- exp.tuple.dst.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; +- exp.tuple.dst.u.gre.key = htonl(ntohs(callid)); +- exp.tuple.dst.u.gre.protocol = __constant_htons(GRE_PROTOCOL_PPTP); +- exp.tuple.dst.u.gre.version = GRE_VERSION_PPTP; +- exp.tuple.dst.protonum = IPPROTO_GRE; +- +- exp.mask.src.ip = 0xffffffff; +- exp.mask.src.u.all = 0; +- exp.mask.dst.u.all = 0; +- exp.mask.dst.u.gre.key = 0xffffffff; +- exp.mask.dst.u.gre.version = 0xff; +- exp.mask.dst.u.gre.protocol = 0xffff; +- exp.mask.dst.ip = 0xffffffff; +- exp.mask.dst.protonum = 0xffff; +- +- exp.seq = seq; +- exp.expectfn = pptp_expectfn; +- +- exp.help.exp_pptp_info.pac_call_id = ntohs(callid); +- exp.help.exp_pptp_info.pns_call_id = ntohs(peer_callid); +- +- DEBUGP("calling expect_related "); +- DUMP_TUPLE_RAW(&exp.tuple); +- +- /* Add GRE keymap entries */ +- ip_ct_gre_keymap_add(&exp, &exp.tuple, 0); +- invert_tuplepr(&inv_tuple, &exp.tuple); +- ip_ct_gre_keymap_add(&exp, &inv_tuple, 1); +- +- ip_conntrack_expect_related(master, &exp); +- +- return 0; +-} +- +-static inline int +-pptp_inbound_pkt(struct tcphdr *tcph, +- struct pptp_pkt_hdr *pptph, +- size_t datalen, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo) +-{ +- struct PptpControlHeader *ctlh; +- union pptp_ctrl_union pptpReq; +- +- struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info; +- u_int16_t msg, *cid, *pcid; +- u_int32_t seq; +- +- ctlh = (struct PptpControlHeader *) +- ((char *) pptph + sizeof(struct pptp_pkt_hdr)); +- pptpReq.rawreq = (void *) +- ((char *) ctlh + sizeof(struct PptpControlHeader)); +- +- msg = ntohs(ctlh->messageType); +- DEBUGP("inbound control message %s\n", strMName[msg]); +- +- switch (msg) { +- case PPTP_START_SESSION_REPLY: +- /* server confirms new control session */ +- if (info->sstate < PPTP_SESSION_REQUESTED) { +- DEBUGP("%s without START_SESS_REQUEST\n", +- strMName[msg]); +- break; +- } +- if (pptpReq.srep->resultCode == PPTP_START_OK) +- info->sstate = PPTP_SESSION_CONFIRMED; +- else +- info->sstate = PPTP_SESSION_ERROR; +- break; +- +- case PPTP_STOP_SESSION_REPLY: +- /* server confirms end of control session */ +- if (info->sstate > PPTP_SESSION_STOPREQ) { +- DEBUGP("%s without STOP_SESS_REQUEST\n", +- strMName[msg]); +- break; +- } +- if (pptpReq.strep->resultCode == PPTP_STOP_OK) +- info->sstate = PPTP_SESSION_NONE; +- else +- info->sstate = PPTP_SESSION_ERROR; +- break; +- +- case PPTP_OUT_CALL_REPLY: +- /* server accepted call, we now expect GRE frames */ +- if (info->sstate != PPTP_SESSION_CONFIRMED) { +- DEBUGP("%s but no session\n", strMName[msg]); +- break; +- } +- if (info->cstate != PPTP_CALL_OUT_REQ && +- info->cstate != PPTP_CALL_OUT_CONF) { +- DEBUGP("%s without OUTCALL_REQ\n", strMName[msg]); +- break; +- } +- if (pptpReq.ocack->resultCode != PPTP_OUTCALL_CONNECT) { +- info->cstate = PPTP_CALL_NONE; +- break; +- } +- +- cid = &pptpReq.ocack->callID; +- pcid = &pptpReq.ocack->peersCallID; +- +- info->pac_call_id = ntohs(*cid); +- +- if (htons(info->pns_call_id) != *pcid) { +- DEBUGP("%s for unknown callid %u\n", +- strMName[msg], ntohs(*pcid)); +- break; +- } +- +- DEBUGP("%s, CID=%X, PCID=%X\n", strMName[msg], +- ntohs(*cid), ntohs(*pcid)); +- +- info->cstate = PPTP_CALL_OUT_CONF; +- +- seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph); +- exp_gre(ct, seq, *cid, *pcid); +- break; +- +- case PPTP_IN_CALL_REQUEST: +- /* server tells us about incoming call request */ +- if (info->sstate != PPTP_SESSION_CONFIRMED) { +- DEBUGP("%s but no session\n", strMName[msg]); +- break; +- } +- pcid = &pptpReq.icack->peersCallID; +- DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid)); +- info->cstate = PPTP_CALL_IN_REQ; +- info->pac_call_id= ntohs(*pcid); +- break; +- +- case PPTP_IN_CALL_CONNECT: +- /* server tells us about incoming call established */ +- if (info->sstate != PPTP_SESSION_CONFIRMED) { +- DEBUGP("%s but no session\n", strMName[msg]); +- break; +- } +- if (info->sstate != PPTP_CALL_IN_REP +- && info->sstate != PPTP_CALL_IN_CONF) { +- DEBUGP("%s but never sent IN_CALL_REPLY\n", +- strMName[msg]); +- break; +- } +- +- pcid = &pptpReq.iccon->peersCallID; +- cid = &info->pac_call_id; +- +- if (info->pns_call_id != ntohs(*pcid)) { +- DEBUGP("%s for unknown CallID %u\n", +- strMName[msg], ntohs(*cid)); +- break; +- } +- +- DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid)); +- info->cstate = PPTP_CALL_IN_CONF; +- +- /* we expect a GRE connection from PAC to PNS */ +- seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph); +- exp_gre(ct, seq, *cid, *pcid); +- +- break; +- +- case PPTP_CALL_DISCONNECT_NOTIFY: +- /* server confirms disconnect */ +- cid = &pptpReq.disc->callID; +- DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid)); +- info->cstate = PPTP_CALL_NONE; +- +- /* untrack this call id, unexpect GRE packets */ +- pptp_timeout_related(ct); +- /* NEWNAT: look up exp for call id and unexpct_related */ +- break; +- +- case PPTP_WAN_ERROR_NOTIFY: +- break; +- +- case PPTP_ECHO_REQUEST: +- case PPTP_ECHO_REPLY: +- /* I don't have to explain these ;) */ +- break; +- default: +- DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX) +- ? strMName[msg]:strMName[0], msg); +- break; +- } +- +- return NF_ACCEPT; +- +-} +- +-static inline int +-pptp_outbound_pkt(struct tcphdr *tcph, +- struct pptp_pkt_hdr *pptph, +- size_t datalen, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo) +-{ +- struct PptpControlHeader *ctlh; +- union pptp_ctrl_union pptpReq; +- struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info; +- u_int16_t msg, *cid, *pcid; +- +- ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph)); +- pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh)); +- +- msg = ntohs(ctlh->messageType); +- DEBUGP("outbound control message %s\n", strMName[msg]); +- +- switch (msg) { +- case PPTP_START_SESSION_REQUEST: +- /* client requests for new control session */ +- if (info->sstate != PPTP_SESSION_NONE) { +- DEBUGP("%s but we already have one", +- strMName[msg]); +- } +- info->sstate = PPTP_SESSION_REQUESTED; +- break; +- case PPTP_STOP_SESSION_REQUEST: +- /* client requests end of control session */ +- info->sstate = PPTP_SESSION_STOPREQ; +- break; +- +- case PPTP_OUT_CALL_REQUEST: +- /* client initiating connection to server */ +- if (info->sstate != PPTP_SESSION_CONFIRMED) { +- DEBUGP("%s but no session\n", +- strMName[msg]); +- break; +- } +- info->cstate = PPTP_CALL_OUT_REQ; +- /* track PNS call id */ +- cid = &pptpReq.ocreq->callID; +- DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid)); +- info->pns_call_id = ntohs(*cid); +- break; +- case PPTP_IN_CALL_REPLY: +- /* client answers incoming call */ +- if (info->cstate != PPTP_CALL_IN_REQ +- && info->cstate != PPTP_CALL_IN_REP) { +- DEBUGP("%s without incall_req\n", +- strMName[msg]); +- break; +- } +- if (pptpReq.icack->resultCode != PPTP_INCALL_ACCEPT) { +- info->cstate = PPTP_CALL_NONE; +- break; +- } +- pcid = &pptpReq.icack->peersCallID; +- if (info->pac_call_id != ntohs(*pcid)) { +- DEBUGP("%s for unknown call %u\n", +- strMName[msg], ntohs(*pcid)); +- break; +- } +- DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*pcid)); +- /* part two of the three-way handshake */ +- info->cstate = PPTP_CALL_IN_REP; +- info->pns_call_id = ntohs(pptpReq.icack->callID); +- break; +- +- case PPTP_CALL_CLEAR_REQUEST: +- /* client requests hangup of call */ +- if (info->sstate != PPTP_SESSION_CONFIRMED) { +- DEBUGP("CLEAR_CALL but no session\n"); +- break; +- } +- /* FUTURE: iterate over all calls and check if +- * call ID is valid. We don't do this without newnat, +- * because we only know about last call */ +- info->cstate = PPTP_CALL_CLEAR_REQ; +- break; +- case PPTP_SET_LINK_INFO: +- break; +- case PPTP_ECHO_REQUEST: +- case PPTP_ECHO_REPLY: +- /* I don't have to explain these ;) */ +- break; +- default: +- DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX)? +- strMName[msg]:strMName[0], msg); +- /* unknown: no need to create GRE masq table entry */ +- break; +- } +- +- return NF_ACCEPT; +-} +- +- +-/* track caller id inside control connection, call expect_related */ +-static int +-conntrack_pptp_help(const struct iphdr *iph, size_t len, +- struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) +- +-{ +- struct pptp_pkt_hdr *pptph; +- +- struct tcphdr *tcph = (void *) iph + iph->ihl * 4; +- u_int32_t tcplen = len - iph->ihl * 4; +- u_int32_t datalen = tcplen - tcph->doff * 4; +- void *datalimit; +- int dir = CTINFO2DIR(ctinfo); +- struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info; +- +- int oldsstate, oldcstate; +- int ret; +- +- /* don't do any tracking before tcp handshake complete */ +- if (ctinfo != IP_CT_ESTABLISHED +- && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) { +- DEBUGP("ctinfo = %u, skipping\n", ctinfo); +- return NF_ACCEPT; +- } +- +- /* not a complete TCP header? */ +- if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) { +- DEBUGP("tcplen = %u\n", tcplen); +- return NF_ACCEPT; +- } +- +- /* checksum invalid? */ +- if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, +- csum_partial((char *) tcph, tcplen, 0))) { +- printk(KERN_NOTICE __FILE__ ": bad csum\n"); +-// return NF_ACCEPT; +- } +- +- if (tcph->fin || tcph->rst) { +- DEBUGP("RST/FIN received, timeouting GRE\n"); +- /* can't do this after real newnat */ +- info->cstate = PPTP_CALL_NONE; +- +- /* untrack this call id, unexpect GRE packets */ +- pptp_timeout_related(ct); +- /* no need to call unexpect_related since master conn +- * dies anyway */ +- } +- +- +- pptph = (struct pptp_pkt_hdr *) ((void *) tcph + tcph->doff * 4); +- datalimit = (void *) pptph + datalen; +- +- /* not a full pptp packet header? */ +- if ((void *) pptph+sizeof(*pptph) >= datalimit) { +- DEBUGP("no full PPTP header, can't track\n"); +- return NF_ACCEPT; +- } +- +- /* if it's not a control message we can't do anything with it */ +- if (ntohs(pptph->packetType) != PPTP_PACKET_CONTROL || +- ntohl(pptph->magicCookie) != PPTP_MAGIC_COOKIE) { +- DEBUGP("not a control packet\n"); +- return NF_ACCEPT; +- } +- +- oldsstate = info->sstate; +- oldcstate = info->cstate; +- +- LOCK_BH(&ip_pptp_lock); +- +- if (dir == IP_CT_DIR_ORIGINAL) +- /* client -> server (PNS -> PAC) */ +- ret = pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo); +- else +- /* server -> client (PAC -> PNS) */ +- ret = pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo); +- DEBUGP("sstate: %d->%d, cstate: %d->%d\n", +- oldsstate, info->sstate, oldcstate, info->cstate); +- UNLOCK_BH(&ip_pptp_lock); +- +- return ret; +-} +- +-/* control protocol helper */ +-static struct ip_conntrack_helper pptp = { +- { NULL, NULL }, +- "pptp", IP_CT_HELPER_F_REUSE_EXPECT, THIS_MODULE, 2, 0, +- { { 0, { tcp: { port: __constant_htons(PPTP_CONTROL_PORT) } } }, +- { 0, { 0 }, IPPROTO_TCP } }, +- { { 0, { tcp: { port: 0xffff } } }, +- { 0, { 0 }, 0xffff } }, +- conntrack_pptp_help }; +- +-/* ip_conntrack_pptp initialization */ +-static int __init init(void) +-{ +- int retcode; +- +- DEBUGP(__FILE__ ": registering helper\n"); +- if ((retcode = ip_conntrack_helper_register(&pptp))) { +- printk(KERN_ERR "Unable to register conntrack application " +- "helper for pptp: %d\n", retcode); +- return -EIO; +- } +- +- return 0; +-} +- +-static void __exit fini(void) +-{ +- ip_conntrack_helper_unregister(&pptp); +-} +- +-module_init(init); +-module_exit(fini); +- +-EXPORT_SYMBOL(ip_pptp_lock); +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_pptp_priv.h linux.stock/net/ipv4/netfilter/ip_conntrack_pptp_priv.h +--- linux/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,24 +0,0 @@ +-#ifndef _IP_CT_PPTP_PRIV_H +-#define _IP_CT_PPTP_PRIV_H +- +-/* PptpControlMessageType names */ +-static const char *strMName[] = { +- "UNKNOWN_MESSAGE", +- "START_SESSION_REQUEST", +- "START_SESSION_REPLY", +- "STOP_SESSION_REQUEST", +- "STOP_SESSION_REPLY", +- "ECHO_REQUEST", +- "ECHO_REPLY", +- "OUT_CALL_REQUEST", +- "OUT_CALL_REPLY", +- "IN_CALL_REQUEST", +- "IN_CALL_REPLY", +- "IN_CALL_CONNECT", +- "CALL_CLEAR_REQUEST", +- "CALL_DISCONNECT_NOTIFY", +- "WAN_ERROR_NOTIFY", +- "SET_LINK_INFO" +-}; +- +-#endif +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c linux.stock/net/ipv4/netfilter/ip_conntrack_proto_gre.c +--- linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_proto_gre.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,320 +0,0 @@ +-/* +- * ip_conntrack_proto_gre.c - Version 1.11 +- * +- * Connection tracking protocol helper module for GRE. +- * +- * GRE is a generic encapsulation protocol, which is generally not very +- * suited for NAT, as it has no protocol-specific part as port numbers. +- * +- * It has an optional key field, which may help us distinguishing two +- * connections between the same two hosts. +- * +- * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784 +- * +- * PPTP is built on top of a modified version of GRE, and has a mandatory +- * field called "CallID", which serves us for the same purpose as the key +- * field in plain GRE. +- * +- * Documentation about PPTP can be found in RFC 2637 +- * +- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> +- * +- * Development of this code funded by Astaro AG (http://www.astaro.com/) +- * +- */ +- +-#include <linux/config.h> +-#include <linux/module.h> +-#include <linux/types.h> +-#include <linux/timer.h> +-#include <linux/netfilter.h> +-#include <linux/ip.h> +-#include <linux/in.h> +-#include <linux/list.h> +- +-#include <linux/netfilter_ipv4/lockhelp.h> +- +-DECLARE_RWLOCK(ip_ct_gre_lock); +-#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_ct_gre_lock) +-#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_ct_gre_lock) +- +-#include <linux/netfilter_ipv4/listhelp.h> +-#include <linux/netfilter_ipv4/ip_conntrack_protocol.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +-#include <linux/netfilter_ipv4/ip_conntrack_core.h> +- +-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h> +-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h> +- +-MODULE_LICENSE("GPL"); +-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); +-MODULE_DESCRIPTION("netfilter connection tracking protocol helper for GRE"); +- +-/* shamelessly stolen from ip_conntrack_proto_udp.c */ +-#define GRE_TIMEOUT (30*HZ) +-#define GRE_STREAM_TIMEOUT (180*HZ) +- +-#define DEBUGP(x, args...) +-#define DUMP_TUPLE_GRE(x) +- +-/* GRE KEYMAP HANDLING FUNCTIONS */ +-static LIST_HEAD(gre_keymap_list); +- +-static inline int gre_key_cmpfn(const struct ip_ct_gre_keymap *km, +- const struct ip_conntrack_tuple *t) +-{ +- return ((km->tuple.src.ip == t->src.ip) && +- (km->tuple.dst.ip == t->dst.ip) && +- (km->tuple.dst.protonum == t->dst.protonum) && +- (km->tuple.dst.u.all == t->dst.u.all)); +-} +- +-/* look up the source key for a given tuple */ +-static u_int32_t gre_keymap_lookup(struct ip_conntrack_tuple *t) +-{ +- struct ip_ct_gre_keymap *km; +- u_int32_t key; +- +- READ_LOCK(&ip_ct_gre_lock); +- km = LIST_FIND(&gre_keymap_list, gre_key_cmpfn, +- struct ip_ct_gre_keymap *, t); +- if (!km) { +- READ_UNLOCK(&ip_ct_gre_lock); +- return 0; +- } +- +- key = km->tuple.src.u.gre.key; +- READ_UNLOCK(&ip_ct_gre_lock); +- +- return key; +-} +- +-/* add a single keymap entry, associate with specified expect */ +-int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp, +- struct ip_conntrack_tuple *t, int reply) +-{ +- struct ip_ct_gre_keymap *km; +- +- km = kmalloc(sizeof(*km), GFP_ATOMIC); +- if (!km) +- return -1; +- +- /* initializing list head should be sufficient */ +- memset(km, 0, sizeof(*km)); +- +- memcpy(&km->tuple, t, sizeof(*t)); +- km->master = exp; +- +- if (!reply) +- exp->proto.gre.keymap_orig = km; +- else +- exp->proto.gre.keymap_reply = km; +- +- DEBUGP("adding new entry %p: ", km); +- DUMP_TUPLE_GRE(&km->tuple); +- +- WRITE_LOCK(&ip_ct_gre_lock); +- list_append(&gre_keymap_list, km); +- WRITE_UNLOCK(&ip_ct_gre_lock); +- +- return 0; +-} +- +-/* change the tuple of a keymap entry (used by nat helper) */ +-void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km, +- struct ip_conntrack_tuple *t) +-{ +- DEBUGP("changing entry %p to: ", km); +- DUMP_TUPLE_GRE(t); +- +- WRITE_LOCK(&ip_ct_gre_lock); +- memcpy(&km->tuple, t, sizeof(km->tuple)); +- WRITE_UNLOCK(&ip_ct_gre_lock); +-} +- +- +-/* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */ +- +-/* invert gre part of tuple */ +-static int gre_invert_tuple(struct ip_conntrack_tuple *tuple, +- const struct ip_conntrack_tuple *orig) +-{ +- tuple->dst.u.gre.protocol = orig->dst.u.gre.protocol; +- tuple->dst.u.gre.version = orig->dst.u.gre.version; +- +- tuple->dst.u.gre.key = orig->src.u.gre.key; +- tuple->src.u.gre.key = orig->dst.u.gre.key; +- +- return 1; +-} +- +-/* gre hdr info to tuple */ +-static int gre_pkt_to_tuple(const void *datah, size_t datalen, +- struct ip_conntrack_tuple *tuple) +-{ +- struct gre_hdr *grehdr = (struct gre_hdr *) datah; +- struct gre_hdr_pptp *pgrehdr = (struct gre_hdr_pptp *) datah; +- u_int32_t srckey; +- +- /* core guarantees 8 protocol bytes, no need for size check */ +- +- tuple->dst.u.gre.version = grehdr->version; +- tuple->dst.u.gre.protocol = grehdr->protocol; +- +- switch (grehdr->version) { +- case GRE_VERSION_1701: +- if (!grehdr->key) { +- DEBUGP("Can't track GRE without key\n"); +- return 0; +- } +- tuple->dst.u.gre.key = *(gre_key(grehdr)); +- break; +- +- case GRE_VERSION_PPTP: +- if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) { +- DEBUGP("GRE_VERSION_PPTP but unknown proto\n"); +- return 0; +- } +- tuple->dst.u.gre.key = htonl(ntohs(pgrehdr->call_id)); +- break; +- +- default: +- printk(KERN_WARNING "unknown GRE version %hu\n", +- tuple->dst.u.gre.version); +- return 0; +- } +- +- srckey = gre_keymap_lookup(tuple); +- +- tuple->src.u.gre.key = srckey; +- +- return 1; +-} +- +-/* print gre part of tuple */ +-static unsigned int gre_print_tuple(char *buffer, +- const struct ip_conntrack_tuple *tuple) +-{ +- return sprintf(buffer, "version=%d protocol=0x%04x srckey=0x%x dstkey=0x%x ", +- tuple->dst.u.gre.version, +- ntohs(tuple->dst.u.gre.protocol), +- ntohl(tuple->src.u.gre.key), +- ntohl(tuple->dst.u.gre.key)); +-} +- +-/* print private data for conntrack */ +-static unsigned int gre_print_conntrack(char *buffer, +- const struct ip_conntrack *ct) +-{ +- return sprintf(buffer, "timeout=%u, stream_timeout=%u ", +- (ct->proto.gre.timeout / HZ), +- (ct->proto.gre.stream_timeout / HZ)); +-} +- +-/* Returns verdict for packet, and may modify conntrack */ +-static int gre_packet(struct ip_conntrack *ct, +- struct iphdr *iph, size_t len, +- enum ip_conntrack_info conntrackinfo) +-{ +- /* If we've seen traffic both ways, this is a GRE connection. +- * Extend timeout. */ +- if (ct->status & IPS_SEEN_REPLY) { +- ip_ct_refresh(ct, ct->proto.gre.stream_timeout); +- /* Also, more likely to be important, and not a probe. */ +- set_bit(IPS_ASSURED_BIT, &ct->status); +- } else +- ip_ct_refresh(ct, ct->proto.gre.timeout); +- +- return NF_ACCEPT; +-} +- +-/* Called when a new connection for this protocol found. */ +-static int gre_new(struct ip_conntrack *ct, +- struct iphdr *iph, size_t len) +-{ +- DEBUGP(": "); +- DUMP_TUPLE_GRE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); +- +- /* initialize to sane value. Ideally a conntrack helper +- * (e.g. in case of pptp) is increasing them */ +- ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT; +- ct->proto.gre.timeout = GRE_TIMEOUT; +- +- return 1; +-} +- +-/* Called when a conntrack entry has already been removed from the hashes +- * and is about to be deleted from memory */ +-static void gre_destroy(struct ip_conntrack *ct) +-{ +- struct ip_conntrack_expect *master = ct->master; +- +- DEBUGP(" entering\n"); +- +- if (!master) { +- DEBUGP("no master exp for ct %p\n", ct); +- return; +- } +- +- WRITE_LOCK(&ip_ct_gre_lock); +- if (master->proto.gre.keymap_orig) { +- DEBUGP("removing %p from list\n", master->proto.gre.keymap_orig); +- list_del(&master->proto.gre.keymap_orig->list); +- kfree(master->proto.gre.keymap_orig); +- } +- if (master->proto.gre.keymap_reply) { +- DEBUGP("removing %p from list\n", master->proto.gre.keymap_reply); +- list_del(&master->proto.gre.keymap_reply->list); +- kfree(master->proto.gre.keymap_reply); +- } +- WRITE_UNLOCK(&ip_ct_gre_lock); +-} +- +-/* protocol helper struct */ +-static struct ip_conntrack_protocol gre = { { NULL, NULL }, IPPROTO_GRE, +- "gre", +- gre_pkt_to_tuple, +- gre_invert_tuple, +- gre_print_tuple, +- gre_print_conntrack, +- gre_packet, +- gre_new, +- gre_destroy, +- NULL, +- THIS_MODULE }; +- +-/* ip_conntrack_proto_gre initialization */ +-static int __init init(void) +-{ +- int retcode; +- +- if ((retcode = ip_conntrack_protocol_register(&gre))) { +- printk(KERN_ERR "Unable to register conntrack protocol " +- "helper for gre: %d\n", retcode); +- return -EIO; +- } +- +- return 0; +-} +- +-static void __exit fini(void) +-{ +- struct list_head *pos, *n; +- +- /* delete all keymap entries */ +- WRITE_LOCK(&ip_ct_gre_lock); +- list_for_each_safe(pos, n, &gre_keymap_list) { +- DEBUGP("deleting keymap %p\n", pos); +- list_del(pos); +- kfree(pos); +- } +- WRITE_UNLOCK(&ip_ct_gre_lock); +- +- ip_conntrack_protocol_unregister(&gre); +-} +- +-EXPORT_SYMBOL(ip_ct_gre_keymap_add); +-EXPORT_SYMBOL(ip_ct_gre_keymap_change); +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux.stock/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +--- linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2003-08-12 07:33:45.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2004-05-09 04:13:03.000000000 -0400 +@@ -15,11 +15,17 @@ + #include <linux/netfilter_ipv4/ip_conntrack_protocol.h> + #include <linux/netfilter_ipv4/lockhelp.h> + ++#if 0 ++#define DEBUGP printk ++#else + #define DEBUGP(format, args...) ++#endif + + /* Protects conntrack->proto.tcp */ + static DECLARE_RWLOCK(tcp_lock); + ++/* FIXME: Examine ipfilter's timeouts and conntrack transitions more ++ closely. They're more complex. --RR */ + + /* Actually, I believe that neither ipmasq (where this code is stolen + from) nor ipfilter do it exactly right. A new conntrack machine taking +@@ -39,6 +45,25 @@ + "LISTEN" + }; + ++#define SECS *HZ ++#define MINS * 60 SECS ++#define HOURS * 60 MINS ++#define DAYS * 24 HOURS ++ ++ ++static unsigned long tcp_timeouts[] ++= { 30 MINS, /* TCP_CONNTRACK_NONE, */ ++ 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */ ++ 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */ ++ 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */ ++ 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */ ++ 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */ ++ 10 SECS, /* TCP_CONNTRACK_CLOSE, */ ++ 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */ ++ 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */ ++ 2 MINS, /* TCP_CONNTRACK_LISTEN, */ ++}; ++ + #define sNO TCP_CONNTRACK_NONE + #define sES TCP_CONNTRACK_ESTABLISHED + #define sSS TCP_CONNTRACK_SYN_SENT +@@ -161,13 +186,13 @@ + && tcph->syn && tcph->ack) + conntrack->proto.tcp.handshake_ack + = htonl(ntohl(tcph->seq) + 1); ++ WRITE_UNLOCK(&tcp_lock); + + /* If only reply is a RST, we can consider ourselves not to + have an established connection: this is a fairly common + problem case, so we can delete the conntrack + immediately. --RR */ + if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) { +- WRITE_UNLOCK(&tcp_lock); + if (del_timer(&conntrack->timeout)) + conntrack->timeout.function((unsigned long)conntrack); + } else { +@@ -178,9 +203,7 @@ + && tcph->ack_seq == conntrack->proto.tcp.handshake_ack) + set_bit(IPS_ASSURED_BIT, &conntrack->status); + +- WRITE_UNLOCK(&tcp_lock); +- ip_ct_refresh(conntrack, +- sysctl_ip_conntrack_tcp_timeouts[newconntrack]); ++ ip_ct_refresh(conntrack, tcp_timeouts[newconntrack]); + } + + return NF_ACCEPT; +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c linux.stock/net/ipv4/netfilter/ip_conntrack_proto_udp.c +--- linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2003-08-12 07:33:45.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2004-05-09 04:13:03.000000000 -0400 +@@ -5,7 +5,9 @@ + #include <linux/in.h> + #include <linux/udp.h> + #include <linux/netfilter_ipv4/ip_conntrack_protocol.h> +-#include <linux/netfilter_ipv4/ip_conntrack_udp.h> ++ ++#define UDP_TIMEOUT (30*HZ) ++#define UDP_STREAM_TIMEOUT (180*HZ) + + static int udp_pkt_to_tuple(const void *datah, size_t datalen, + struct ip_conntrack_tuple *tuple) +@@ -50,13 +52,11 @@ + /* If we've seen traffic both ways, this is some kind of UDP + stream. Extend timeout. */ + if (conntrack->status & IPS_SEEN_REPLY) { +- ip_ct_refresh(conntrack, +- sysctl_ip_conntrack_udp_timeouts[UDP_STREAM_TIMEOUT]); ++ ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT); + /* Also, more likely to be important, and not a probe */ + set_bit(IPS_ASSURED_BIT, &conntrack->status); + } else +- ip_ct_refresh(conntrack, +- sysctl_ip_conntrack_udp_timeouts[UDP_TIMEOUT]); ++ ip_ct_refresh(conntrack, UDP_TIMEOUT); + + return NF_ACCEPT; + } +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_standalone.c linux.stock/net/ipv4/netfilter/ip_conntrack_standalone.c +--- linux/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-08-12 07:33:45.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-05-09 04:13:03.000000000 -0400 +@@ -27,7 +27,11 @@ + #include <linux/netfilter_ipv4/ip_conntrack_helper.h> + #include <linux/netfilter_ipv4/listhelp.h> + ++#if 0 ++#define DEBUGP printk ++#else + #define DEBUGP(format, args...) ++#endif + + struct module *ip_conntrack_module = THIS_MODULE; + MODULE_LICENSE("GPL"); +@@ -52,17 +56,12 @@ + return len; + } + ++/* FIXME: Don't print source proto part. --RR */ + static unsigned int + print_expect(char *buffer, const struct ip_conntrack_expect *expect) + { + unsigned int len; + +- if (!expect || !expect->expectant || !expect->expectant->helper) { +- DEBUGP("expect %x expect->expectant %x expect->expectant->helper %x\n", +- expect, expect->expectant, expect->expectant->helper); +- return 0; +- } +- + if (expect->expectant->helper->timeout) + len = sprintf(buffer, "EXPECTING: %lu ", + timer_pending(&expect->timeout) +@@ -294,6 +293,8 @@ + return ret; + } + ++/* FIXME: Allow NULL functions and sub in pointers to generic for ++ them. --RR */ + int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto) + { + int ret = 0; +@@ -362,8 +363,6 @@ + EXPORT_SYMBOL(ip_ct_find_proto); + EXPORT_SYMBOL(__ip_ct_find_proto); + EXPORT_SYMBOL(ip_ct_find_helper); +-EXPORT_SYMBOL(sysctl_ip_conntrack_tcp_timeouts); +-EXPORT_SYMBOL(sysctl_ip_conntrack_udp_timeouts); + EXPORT_SYMBOL(ip_conntrack_expect_related); + EXPORT_SYMBOL(ip_conntrack_change_expect); + EXPORT_SYMBOL(ip_conntrack_unexpect_related); +diff -Nurb linux/net/ipv4/netfilter/ip_conntrack_tftp.c linux.stock/net/ipv4/netfilter/ip_conntrack_tftp.c +--- linux/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_conntrack_tftp.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,126 +0,0 @@ +-/* +- * Licensed under GNU GPL version 2 Copyright Magnus Boden <mb@ozaba.mine.nu> +- * Version: 0.0.7 +- * +- * Thu 21 Mar 2002 Harald Welte <laforge@gnumonks.org> +- * - port to newnat API +- * +- */ +- +-#include <linux/module.h> +-#include <linux/ip.h> +-#include <linux/udp.h> +- +-#include <linux/netfilter.h> +-#include <linux/netfilter_ipv4/ip_tables.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +-#include <linux/netfilter_ipv4/ip_conntrack_tftp.h> +- +-MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>"); +-MODULE_DESCRIPTION("Netfilter connection tracking module for tftp"); +-MODULE_LICENSE("GPL"); +- +-#define MAX_PORTS 8 +-static int ports[MAX_PORTS]; +-static int ports_c = 0; +-#ifdef MODULE_PARM +-MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); +-MODULE_PARM_DESC(ports, "port numbers of tftp servers"); +-#endif +- +-#define DEBUGP(format, args...) +- +-static int tftp_help(const struct iphdr *iph, size_t len, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo) +-{ +- struct udphdr *udph = (void *)iph + iph->ihl * 4; +- struct tftphdr *tftph = (void *)udph + 8; +- struct ip_conntrack_expect exp; +- +- switch (ntohs(tftph->opcode)) { +- /* RRQ and WRQ works the same way */ +- case TFTP_OPCODE_READ: +- case TFTP_OPCODE_WRITE: +- DEBUGP(""); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); +- memset(&exp, 0, sizeof(exp)); +- +- exp.tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; +- exp.mask.src.ip = 0xffffffff; +- exp.mask.dst.ip = 0xffffffff; +- exp.mask.dst.u.udp.port = 0xffff; +- exp.mask.dst.protonum = 0xffff; +- exp.expectfn = NULL; +- +- DEBUGP("expect: "); +- DUMP_TUPLE(&exp.tuple); +- DUMP_TUPLE(&exp.mask); +- ip_conntrack_expect_related(ct, &exp); +- break; +- default: +- DEBUGP("Unknown opcode\n"); +- } +- return NF_ACCEPT; +-} +- +-static struct ip_conntrack_helper tftp[MAX_PORTS]; +-static char tftp_names[MAX_PORTS][10]; +- +-static void fini(void) +-{ +- int i; +- +- for (i = 0 ; i < ports_c; i++) { +- DEBUGP("unregistering helper for port %d\n", +- ports[i]); +- ip_conntrack_helper_unregister(&tftp[i]); +- } +-} +- +-static int __init init(void) +-{ +- int i, ret; +- char *tmpname; +- +- if (!ports[0]) +- ports[0]=TFTP_PORT; +- +- for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { +- /* Create helper structure */ +- memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper)); +- +- tftp[i].tuple.dst.protonum = IPPROTO_UDP; +- tftp[i].tuple.src.u.udp.port = htons(ports[i]); +- tftp[i].mask.dst.protonum = 0xFFFF; +- tftp[i].mask.src.u.udp.port = 0xFFFF; +- tftp[i].max_expected = 1; +- tftp[i].timeout = 0; +- tftp[i].flags = IP_CT_HELPER_F_REUSE_EXPECT; +- tftp[i].me = THIS_MODULE; +- tftp[i].help = tftp_help; +- +- tmpname = &tftp_names[i][0]; +- if (ports[i] == TFTP_PORT) +- sprintf(tmpname, "tftp"); +- else +- sprintf(tmpname, "tftp-%d", i); +- tftp[i].name = tmpname; +- +- DEBUGP("port #%d: %d\n", i, ports[i]); +- +- ret=ip_conntrack_helper_register(&tftp[i]); +- if (ret) { +- printk("ERROR registering helper for port %d\n", +- ports[i]); +- fini(); +- return(ret); +- } +- ports_c++; +- } +- return(0); +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_nat_core.c linux.stock/net/ipv4/netfilter/ip_nat_core.c +--- linux/net/ipv4/netfilter/ip_nat_core.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_nat_core.c 2004-05-09 04:13:03.000000000 -0400 +@@ -31,7 +31,11 @@ + #include <linux/netfilter_ipv4/ip_conntrack_helper.h> + #include <linux/netfilter_ipv4/listhelp.h> + ++#if 0 ++#define DEBUGP printk ++#else + #define DEBUGP(format, args...) ++#endif + + DECLARE_RWLOCK(ip_nat_lock); + DECLARE_RWLOCK_EXTERN(ip_conntrack_lock); +@@ -207,6 +211,7 @@ + { + struct rtable *rt; + ++ /* FIXME: IPTOS_TOS(iph->tos) --RR */ + if (ip_route_output(&rt, var_ip, 0, 0, 0) != 0) { + DEBUGP("do_extra_mangle: Can't get route to %u.%u.%u.%u\n", + NIPQUAD(var_ip)); +@@ -429,7 +434,7 @@ + *tuple = *orig_tuple; + while ((rptr = find_best_ips_proto_fast(tuple, mr, conntrack, hooknum)) + != NULL) { +- DEBUGP("Found best for "); DUMP_TUPLE_RAW(tuple); ++ DEBUGP("Found best for "); DUMP_TUPLE(tuple); + /* 3) The per-protocol part of the manip is made to + map into the range to make a unique tuple. */ + +@@ -529,6 +534,31 @@ + invert_tuplepr(&orig_tp, + &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple); + ++#if 0 ++ { ++ unsigned int i; ++ ++ DEBUGP("Hook %u (%s), ", hooknum, ++ HOOK2MANIP(hooknum)==IP_NAT_MANIP_SRC ? "SRC" : "DST"); ++ DUMP_TUPLE(&orig_tp); ++ DEBUGP("Range %p: ", mr); ++ for (i = 0; i < mr->rangesize; i++) { ++ DEBUGP("%u:%s%s%s %u.%u.%u.%u - %u.%u.%u.%u %u - %u\n", ++ i, ++ (mr->range[i].flags & IP_NAT_RANGE_MAP_IPS) ++ ? " MAP_IPS" : "", ++ (mr->range[i].flags ++ & IP_NAT_RANGE_PROTO_SPECIFIED) ++ ? " PROTO_SPECIFIED" : "", ++ (mr->range[i].flags & IP_NAT_RANGE_FULL) ++ ? " FULL" : "", ++ NIPQUAD(mr->range[i].min_ip), ++ NIPQUAD(mr->range[i].max_ip), ++ mr->range[i].min.all, ++ mr->range[i].max.all); ++ } ++ } ++#endif + + do { + if (!get_unique_tuple(&new_tuple, &orig_tp, mr, conntrack, +@@ -538,6 +568,15 @@ + return NF_DROP; + } + ++#if 0 ++ DEBUGP("Hook %u (%s) %p\n", hooknum, ++ HOOK2MANIP(hooknum)==IP_NAT_MANIP_SRC ? "SRC" : "DST", ++ conntrack); ++ DEBUGP("Original: "); ++ DUMP_TUPLE(&orig_tp); ++ DEBUGP("New: "); ++ DUMP_TUPLE(&new_tuple); ++#endif + + /* We now have two tuples (SRCIP/SRCPT/DSTIP/DSTPT): + the original (A/B/C/D') and the mangled one (E/F/G/H'). +@@ -554,6 +593,8 @@ + If fail this race (reply tuple now used), repeat. */ + } while (!ip_conntrack_alter_reply(conntrack, &reply)); + ++ /* FIXME: We can simply used existing conntrack reply tuple ++ here --RR */ + /* Create inverse of original: C/D/A/B' */ + invert_tuplepr(&inv_tuple, &orig_tp); + +@@ -678,6 +719,17 @@ + iph->check); + iph->daddr = manip->ip; + } ++#if 0 ++ if (ip_fast_csum((u8 *)iph, iph->ihl) != 0) ++ DEBUGP("IP: checksum on packet bad.\n"); ++ ++ if (proto == IPPROTO_TCP) { ++ void *th = (u_int32_t *)iph + iph->ihl; ++ if (tcp_v4_check(th, len - 4*iph->ihl, iph->saddr, iph->daddr, ++ csum_partial((char *)th, len-4*iph->ihl, 0))) ++ DEBUGP("TCP: checksum on packet bad\n"); ++ } ++#endif + } + + static inline int exp_for_packet(struct ip_conntrack_expect *exp, +@@ -765,6 +817,7 @@ + continue; + + if (exp_for_packet(exp, pskb)) { ++ /* FIXME: May be true multiple times in the case of UDP!! */ + DEBUGP("calling nat helper (exp=%p) for packet\n", + exp); + ret = helper->help(ct, exp, info, ctinfo, +@@ -926,6 +979,7 @@ + INIT_LIST_HEAD(&byipsproto[i]); + } + ++ /* FIXME: Man, this is a hack. <SIGH> */ + IP_NF_ASSERT(ip_conntrack_destroyed == NULL); + ip_conntrack_destroyed = &ip_nat_cleanup_conntrack; + +diff -Nurb linux/net/ipv4/netfilter/ip_nat_h323.c linux.stock/net/ipv4/netfilter/ip_nat_h323.c +--- linux/net/ipv4/netfilter/ip_nat_h323.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_nat_h323.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,403 +0,0 @@ +-/* +- * H.323 'brute force' extension for NAT alteration. +- * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> +- * +- * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project. +- * (http://www.coritel.it/projects/sofia/nat.html) +- * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind' +- * the unregistered helpers to the conntrack entries. +- */ +- +- +-#include <linux/module.h> +-#include <linux/netfilter.h> +-#include <linux/ip.h> +-#include <net/checksum.h> +-#include <net/tcp.h> +- +-#include <linux/netfilter_ipv4/lockhelp.h> +-#include <linux/netfilter_ipv4/ip_nat.h> +-#include <linux/netfilter_ipv4/ip_nat_helper.h> +-#include <linux/netfilter_ipv4/ip_nat_rule.h> +-#include <linux/netfilter_ipv4/ip_conntrack_tuple.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +-#include <linux/netfilter_ipv4/ip_conntrack_h323.h> +- +-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); +-MODULE_DESCRIPTION("H.323 'brute force' connection tracking module"); +-MODULE_LICENSE("GPL"); +- +-DECLARE_LOCK_EXTERN(ip_h323_lock); +-struct module *ip_nat_h323 = THIS_MODULE; +- +-#define DEBUGP(format, args...) +- +- +-static unsigned int +-h225_nat_expected(struct sk_buff **pskb, +- unsigned int hooknum, +- struct ip_conntrack *ct, +- struct ip_nat_info *info); +- +-static unsigned int h225_nat_help(struct ip_conntrack *ct, +- struct ip_conntrack_expect *exp, +- struct ip_nat_info *info, +- enum ip_conntrack_info ctinfo, +- unsigned int hooknum, +- struct sk_buff **pskb); +- +-static struct ip_nat_helper h245 = +- { { NULL, NULL }, +- "H.245", /* name */ +- 0, /* flags */ +- NULL, /* module */ +- { { 0, { 0 } }, /* tuple */ +- { 0, { 0 }, IPPROTO_TCP } }, +- { { 0, { 0xFFFF } }, /* mask */ +- { 0, { 0 }, 0xFFFF } }, +- h225_nat_help, /* helper */ +- h225_nat_expected /* expectfn */ +- }; +- +-static unsigned int +-h225_nat_expected(struct sk_buff **pskb, +- unsigned int hooknum, +- struct ip_conntrack *ct, +- struct ip_nat_info *info) +-{ +- struct ip_nat_multi_range mr; +- u_int32_t newdstip, newsrcip, newip; +- u_int16_t port; +- struct ip_ct_h225_expect *exp_info; +- struct ip_ct_h225_master *master_info; +- struct ip_conntrack *master = master_ct(ct); +- unsigned int is_h225, ret; +- +- IP_NF_ASSERT(info); +- IP_NF_ASSERT(master); +- +- IP_NF_ASSERT(!(info->initialized & (1<<HOOK2MANIP(hooknum)))); +- +- DEBUGP("h225_nat_expected: We have a connection!\n"); +- master_info = &ct->master->expectant->help.ct_h225_info; +- exp_info = &ct->master->help.exp_h225_info; +- +- LOCK_BH(&ip_h323_lock); +- +- DEBUGP("master: "); +- DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple); +- DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_REPLY].tuple); +- DEBUGP("conntrack: "); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); +- if (exp_info->dir == IP_CT_DIR_ORIGINAL) { +- /* Make connection go to the client. */ +- newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; +- newsrcip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; +- DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to client)\n", +- NIPQUAD(newsrcip), NIPQUAD(newdstip)); +- } else { +- /* Make the connection go to the server */ +- newdstip = master->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; +- newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to server)\n", +- NIPQUAD(newsrcip), NIPQUAD(newdstip)); +- } +- port = exp_info->port; +- is_h225 = master_info->is_h225 == H225_PORT; +- UNLOCK_BH(&ip_h323_lock); +- +- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) +- newip = newsrcip; +- else +- newip = newdstip; +- +- DEBUGP("h225_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip)); +- +- mr.rangesize = 1; +- /* We don't want to manip the per-protocol, just the IPs... */ +- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; +- mr.range[0].min_ip = mr.range[0].max_ip = newip; +- +- /* ... unless we're doing a MANIP_DST, in which case, make +- sure we map to the correct port */ +- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) { +- mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; +- mr.range[0].min = mr.range[0].max +- = ((union ip_conntrack_manip_proto) +- { port }); +- } +- +- ret = ip_nat_setup_info(ct, &mr, hooknum); +- +- if (is_h225) { +- DEBUGP("h225_nat_expected: H.225, setting NAT helper for %p\n", ct); +- /* NAT expectfn called with ip_nat_lock write-locked */ +- info->helper = &h245; +- } +- return ret; +-} +- +-static int h323_signal_address_fixup(struct ip_conntrack *ct, +- struct sk_buff **pskb, +- enum ip_conntrack_info ctinfo) +-{ +- struct iphdr *iph = (*pskb)->nh.iph; +- struct tcphdr *tcph = (void *)iph + iph->ihl*4; +- unsigned char *data; +- u_int32_t tcplen = (*pskb)->len - iph->ihl*4; +- u_int32_t datalen = tcplen - tcph->doff*4; +- struct ip_ct_h225_master *info = &ct->help.ct_h225_info; +- u_int32_t newip; +- u_int16_t port; +- u_int8_t buffer[6]; +- int i; +- +- MUST_BE_LOCKED(&ip_h323_lock); +- +- DEBUGP("h323_signal_address_fixup: %s %s\n", +- between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) +- ? "yes" : "no", +- between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) +- ? "yes" : "no"); +- if (!(between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) +- || between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen))) +- return 1; +- +- DEBUGP("h323_signal_address_fixup: offsets %u + 6 and %u + 6 in %u\n", +- info->offset[IP_CT_DIR_ORIGINAL], +- info->offset[IP_CT_DIR_REPLY], +- tcplen); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); +- +- for (i = 0; i < IP_CT_DIR_MAX; i++) { +- DEBUGP("h323_signal_address_fixup: %s %s\n", +- info->dir == IP_CT_DIR_ORIGINAL ? "original" : "reply", +- i == IP_CT_DIR_ORIGINAL ? "caller" : "callee"); +- if (!between(info->seq[i], ntohl(tcph->seq), +- ntohl(tcph->seq) + datalen)) +- continue; +- if (!between(info->seq[i] + 6, ntohl(tcph->seq), +- ntohl(tcph->seq) + datalen)) { +- /* Partial retransmisison. It's a cracker being funky. */ +- if (net_ratelimit()) { +- printk("H.323_NAT: partial packet %u/6 in %u/%u\n", +- info->seq[i], +- ntohl(tcph->seq), +- ntohl(tcph->seq) + datalen); +- } +- return 0; +- } +- +- /* Change address inside packet to match way we're mapping +- this connection. */ +- if (i == IP_CT_DIR_ORIGINAL) { +- newip = ct->tuplehash[!info->dir].tuple.dst.ip; +- port = ct->tuplehash[!info->dir].tuple.dst.u.tcp.port; +- } else { +- newip = ct->tuplehash[!info->dir].tuple.src.ip; +- port = ct->tuplehash[!info->dir].tuple.src.u.tcp.port; +- } +- +- data = (char *) tcph + tcph->doff * 4 + info->offset[i]; +- +- DEBUGP("h323_signal_address_fixup: orig %s IP:port %u.%u.%u.%u:%u\n", +- i == IP_CT_DIR_ORIGINAL ? "source" : "dest ", +- data[0], data[1], data[2], data[3], +- (data[4] << 8 | data[5])); +- +- /* Modify the packet */ +- memcpy(buffer, &newip, 4); +- memcpy(buffer + 4, &port, 2); +- if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, info->offset[i], +- 6, buffer, 6)) +- return 0; +- +- DEBUGP("h323_signal_address_fixup: new %s IP:port %u.%u.%u.%u:%u\n", +- i == IP_CT_DIR_ORIGINAL ? "source" : "dest ", +- data[0], data[1], data[2], data[3], +- (data[4] << 8 | data[5])); +- } +- +- return 1; +-} +- +-static int h323_data_fixup(struct ip_ct_h225_expect *info, +- struct ip_conntrack *ct, +- struct sk_buff **pskb, +- enum ip_conntrack_info ctinfo, +- struct ip_conntrack_expect *expect) +-{ +- u_int32_t newip; +- u_int16_t port; +- u_int8_t buffer[6]; +- struct ip_conntrack_tuple newtuple; +- struct iphdr *iph = (*pskb)->nh.iph; +- struct tcphdr *tcph = (void *)iph + iph->ihl*4; +- unsigned char *data; +- u_int32_t tcplen = (*pskb)->len - iph->ihl*4; +- struct ip_ct_h225_master *master_info = &ct->help.ct_h225_info; +- int is_h225; +- +- MUST_BE_LOCKED(&ip_h323_lock); +- DEBUGP("h323_data_fixup: offset %u + 6 in %u\n", info->offset, tcplen); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); +- +- if (!between(expect->seq + 6, ntohl(tcph->seq), +- ntohl(tcph->seq) + tcplen - tcph->doff * 4)) { +- /* Partial retransmisison. It's a cracker being funky. */ +- if (net_ratelimit()) { +- printk("H.323_NAT: partial packet %u/6 in %u/%u\n", +- expect->seq, +- ntohl(tcph->seq), +- ntohl(tcph->seq) + tcplen - tcph->doff * 4); +- } +- return 0; +- } +- +- /* Change address inside packet to match way we're mapping +- this connection. */ +- if (info->dir == IP_CT_DIR_REPLY) { +- /* Must be where client thinks server is */ +- newip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; +- /* Expect something from client->server */ +- newtuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; +- newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; +- } else { +- /* Must be where server thinks client is */ +- newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- /* Expect something from server->client */ +- newtuple.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; +- newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- } +- +- is_h225 = (master_info->is_h225 == H225_PORT); +- +- if (is_h225) { +- newtuple.dst.protonum = IPPROTO_TCP; +- newtuple.src.u.tcp.port = expect->tuple.src.u.tcp.port; +- } else { +- newtuple.dst.protonum = IPPROTO_UDP; +- newtuple.src.u.udp.port = expect->tuple.src.u.udp.port; +- } +- +- /* Try to get same port: if not, try to change it. */ +- for (port = ntohs(info->port); port != 0; port++) { +- if (is_h225) +- newtuple.dst.u.tcp.port = htons(port); +- else +- newtuple.dst.u.udp.port = htons(port); +- +- if (ip_conntrack_change_expect(expect, &newtuple) == 0) +- break; +- } +- if (port == 0) { +- DEBUGP("h323_data_fixup: no free port found!\n"); +- return 0; +- } +- +- port = htons(port); +- +- data = (char *) tcph + tcph->doff * 4 + info->offset; +- +- DEBUGP("h323_data_fixup: orig IP:port %u.%u.%u.%u:%u\n", +- data[0], data[1], data[2], data[3], +- (data[4] << 8 | data[5])); +- +- /* Modify the packet */ +- memcpy(buffer, &newip, 4); +- memcpy(buffer + 4, &port, 2); +- if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, info->offset, +- 6, buffer, 6)) +- return 0; +- +- DEBUGP("h323_data_fixup: new IP:port %u.%u.%u.%u:%u\n", +- data[0], data[1], data[2], data[3], +- (data[4] << 8 | data[5])); +- +- return 1; +-} +- +-static unsigned int h225_nat_help(struct ip_conntrack *ct, +- struct ip_conntrack_expect *exp, +- struct ip_nat_info *info, +- enum ip_conntrack_info ctinfo, +- unsigned int hooknum, +- struct sk_buff **pskb) +-{ +- int dir; +- struct ip_ct_h225_expect *exp_info; +- +- /* Only mangle things once: original direction in POST_ROUTING +- and reply direction on PRE_ROUTING. */ +- dir = CTINFO2DIR(ctinfo); +- DEBUGP("nat_h323: dir %s at hook %s\n", +- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", +- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" +- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" +- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); +- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) +- || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) { +- DEBUGP("nat_h323: Not touching dir %s at hook %s\n", +- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", +- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" +- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" +- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); +- return NF_ACCEPT; +- } +- +- if (!exp) { +- LOCK_BH(&ip_h323_lock); +- if (!h323_signal_address_fixup(ct, pskb, ctinfo)) { +- UNLOCK_BH(&ip_h323_lock); +- return NF_DROP; +- } +- UNLOCK_BH(&ip_h323_lock); +- return NF_ACCEPT; +- } +- +- exp_info = &exp->help.exp_h225_info; +- +- LOCK_BH(&ip_h323_lock); +- if (!h323_data_fixup(exp_info, ct, pskb, ctinfo, exp)) { +- UNLOCK_BH(&ip_h323_lock); +- return NF_DROP; +- } +- UNLOCK_BH(&ip_h323_lock); +- +- return NF_ACCEPT; +-} +- +-static struct ip_nat_helper h225 = +- { { NULL, NULL }, +- "H.225", /* name */ +- IP_NAT_HELPER_F_ALWAYS, /* flags */ +- THIS_MODULE, /* module */ +- { { 0, { __constant_htons(H225_PORT) } }, /* tuple */ +- { 0, { 0 }, IPPROTO_TCP } }, +- { { 0, { 0xFFFF } }, /* mask */ +- { 0, { 0 }, 0xFFFF } }, +- h225_nat_help, /* helper */ +- h225_nat_expected /* expectfn */ +- }; +- +-static int __init init(void) +-{ +- int ret; +- +- ret = ip_nat_helper_register(&h225); +- +- if (ret != 0) +- printk("ip_nat_h323: cannot initialize the module!\n"); +- +- return ret; +-} +- +-static void __exit fini(void) +-{ +- ip_nat_helper_unregister(&h225); +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_nat_helper.c linux.stock/net/ipv4/netfilter/ip_nat_helper.c +--- linux/net/ipv4/netfilter/ip_nat_helper.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_nat_helper.c 2004-05-09 04:13:03.000000000 -0400 +@@ -8,9 +8,6 @@ + * - add support for SACK adjustment + * 14 Mar 2002 Harald Welte <laforge@gnumonks.org>: + * - merge SACK support into newnat API +- * 16 Aug 2002 Brian J. Murrell <netfilter@interlinx.bc.ca>: +- * - make ip_nat_resize_packet more generic (TCP and UDP) +- * - add ip_nat_mangle_udp_packet + */ + #include <linux/version.h> + #include <linux/config.h> +@@ -25,7 +22,6 @@ + #include <net/icmp.h> + #include <net/ip.h> + #include <net/tcp.h> +-#include <net/udp.h> + + #define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_nat_lock) + #define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_nat_lock) +@@ -38,8 +34,13 @@ + #include <linux/netfilter_ipv4/ip_nat_helper.h> + #include <linux/netfilter_ipv4/listhelp.h> + ++#if 0 ++#define DEBUGP printk ++#define DUMP_OFFSET(x) printk("offset_before=%d, offset_after=%d, correction_pos=%u\n", x->offset_before, x->offset_after, x->correction_pos); ++#else + #define DEBUGP(format, args...) + #define DUMP_OFFSET(x) ++#endif + + DECLARE_LOCK(ip_nat_seqofs_lock); + +@@ -50,12 +51,18 @@ + int new_size) + { + struct iphdr *iph; ++ struct tcphdr *tcph; ++ void *data; + int dir; + struct ip_nat_seq *this_way, *other_way; + + DEBUGP("ip_nat_resize_packet: old_size = %u, new_size = %u\n", + (*skb)->len, new_size); + ++ iph = (*skb)->nh.iph; ++ tcph = (void *)iph + iph->ihl*4; ++ data = (void *)tcph + tcph->doff*4; ++ + dir = CTINFO2DIR(ctinfo); + + this_way = &ct->nat.info.seq[dir]; +@@ -77,9 +84,8 @@ + } + + iph = (*skb)->nh.iph; +- if (iph->protocol == IPPROTO_TCP) { +- struct tcphdr *tcph = (void *)iph + iph->ihl*4; +- void *data = (void *)tcph + tcph->doff*4; ++ tcph = (void *)iph + iph->ihl*4; ++ data = (void *)tcph + tcph->doff*4; + + DEBUGP("ip_nat_resize_packet: Seq_offset before: "); + DUMP_OFFSET(this_way); +@@ -95,20 +101,25 @@ + this_way->correction_pos = ntohl(tcph->seq); + this_way->offset_before = this_way->offset_after; + this_way->offset_after = (int32_t) +- this_way->offset_before + new_size - +- (*skb)->len; ++ this_way->offset_before + new_size - (*skb)->len; + } + + UNLOCK_BH(&ip_nat_seqofs_lock); + + DEBUGP("ip_nat_resize_packet: Seq_offset after: "); + DUMP_OFFSET(this_way); +- } + + return 1; + } + + ++/* Generic function for mangling variable-length address changes inside ++ * NATed connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX command in FTP). ++ * ++ * Takes care about all the nasty sequence number changes, checksumming, ++ * skb enlargement, ... ++ * ++ * */ + int + ip_nat_mangle_tcp_packet(struct sk_buff **skb, + struct ip_conntrack *ct, +@@ -163,7 +174,6 @@ + tcph = (void *)iph + iph->ihl*4; + data = (void *)tcph + tcph->doff*4; + +- if (rep_len != match_len) + /* move post-replacement */ + memmove(data + match_offset + rep_len, + data + match_offset + match_len, +@@ -198,104 +208,6 @@ + return 1; + } + +-int +-ip_nat_mangle_udp_packet(struct sk_buff **skb, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo, +- unsigned int match_offset, +- unsigned int match_len, +- char *rep_buffer, +- unsigned int rep_len) +-{ +- struct iphdr *iph = (*skb)->nh.iph; +- struct udphdr *udph = (void *)iph + iph->ihl * 4; +- unsigned char *data; +- u_int32_t udplen, newlen, newudplen; +- +- udplen = (*skb)->len - iph->ihl*4; +- newudplen = udplen - match_len + rep_len; +- newlen = iph->ihl*4 + newudplen; +- +- if (newlen > 65535) { +- if (net_ratelimit()) +- printk("ip_nat_mangle_udp_packet: nat'ed packet " +- "exceeds maximum packet size\n"); +- return 0; +- } +- +- if ((*skb)->len != newlen) { +- if (!ip_nat_resize_packet(skb, ct, ctinfo, newlen)) { +- printk("resize_packet failed!!\n"); +- return 0; +- } +- } +- +- /* Alexey says: if a hook changes _data_ ... it can break +- original packet sitting in tcp queue and this is fatal */ +- if (skb_cloned(*skb)) { +- struct sk_buff *nskb = skb_copy(*skb, GFP_ATOMIC); +- if (!nskb) { +- if (net_ratelimit()) +- printk("Out of memory cloning TCP packet\n"); +- return 0; +- } +- /* Rest of kernel will get very unhappy if we pass it +- a suddenly-orphaned skbuff */ +- if ((*skb)->sk) +- skb_set_owner_w(nskb, (*skb)->sk); +- kfree_skb(*skb); +- *skb = nskb; +- } +- +- /* skb may be copied !! */ +- iph = (*skb)->nh.iph; +- udph = (void *)iph + iph->ihl*4; +- data = (void *)udph + sizeof(struct udphdr); +- +- if (rep_len != match_len) +- /* move post-replacement */ +- memmove(data + match_offset + rep_len, +- data + match_offset + match_len, +- (*skb)->tail - (data + match_offset + match_len)); +- +- /* insert data from buffer */ +- memcpy(data + match_offset, rep_buffer, rep_len); +- +- /* update skb info */ +- if (newlen > (*skb)->len) { +- DEBUGP("ip_nat_mangle_udp_packet: Extending packet by " +- "%u to %u bytes\n", newlen - (*skb)->len, newlen); +- skb_put(*skb, newlen - (*skb)->len); +- } else { +- DEBUGP("ip_nat_mangle_udp_packet: Shrinking packet from " +- "%u to %u bytes\n", (*skb)->len, newlen); +- skb_trim(*skb, newlen); +- } +- +- /* update the length of the UDP and IP packets to the new values*/ +- udph->len = htons((*skb)->len - iph->ihl*4); +- iph->tot_len = htons(newlen); +- +- /* fix udp checksum if udp checksum was previously calculated */ +- if ((*skb)->csum != 0) { +- (*skb)->csum = csum_partial((char *)udph + +- sizeof(struct udphdr), +- newudplen - sizeof(struct udphdr), +- 0); +- +- udph->check = 0; +- udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr, +- newudplen, IPPROTO_UDP, +- csum_partial((char *)udph, +- sizeof(struct udphdr), +- (*skb)->csum)); +- } +- +- ip_send_check(iph); +- +- return 1; +-} +- + /* Adjust one found SACK option including checksum correction */ + static void + sack_adjust(struct tcphdr *tcph, +diff -Nurb linux/net/ipv4/netfilter/ip_nat_mms.c linux.stock/net/ipv4/netfilter/ip_nat_mms.c +--- linux/net/ipv4/netfilter/ip_nat_mms.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_nat_mms.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,330 +0,0 @@ +-/* MMS extension for TCP NAT alteration. +- * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be> +- * based on ip_nat_ftp.c and ip_nat_irc.c +- * +- * ip_nat_mms.c v0.3 2002-09-22 +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version +- * 2 of the License, or (at your option) any later version. +- * +- * Module load syntax: +- * insmod ip_nat_mms.o ports=port1,port2,...port<MAX_PORTS> +- * +- * Please give the ports of all MMS servers You wish to connect to. +- * If you don't specify ports, the default will be TCP port 1755. +- * +- * More info on MMS protocol, firewalls and NAT: +- * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp +- * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp +- * +- * The SDP project people are reverse-engineering MMS: +- * http://get.to/sdp +- */ +- +- +-#include <linux/module.h> +-#include <linux/netfilter_ipv4.h> +-#include <linux/ip.h> +-#include <linux/tcp.h> +-#include <net/tcp.h> +-#include <linux/netfilter_ipv4/ip_nat.h> +-#include <linux/netfilter_ipv4/ip_nat_helper.h> +-#include <linux/netfilter_ipv4/ip_nat_rule.h> +-#include <linux/netfilter_ipv4/ip_conntrack_mms.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +- +-#define DEBUGP(format, args...) +-#define DUMP_BYTES(address, counter) +- +-#define MAX_PORTS 8 +-static int ports[MAX_PORTS]; +-static int ports_c = 0; +- +-#ifdef MODULE_PARM +-MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); +-#endif +- +-MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>"); +-MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) NAT module"); +-MODULE_LICENSE("GPL"); +- +-DECLARE_LOCK_EXTERN(ip_mms_lock); +- +- +-static int mms_data_fixup(const struct ip_ct_mms_expect *ct_mms_info, +- struct ip_conntrack *ct, +- struct sk_buff **pskb, +- enum ip_conntrack_info ctinfo, +- struct ip_conntrack_expect *expect) +-{ +- u_int32_t newip; +- struct ip_conntrack_tuple t; +- struct iphdr *iph = (*pskb)->nh.iph; +- struct tcphdr *tcph = (void *) iph + iph->ihl * 4; +- char *data = (char *)tcph + tcph->doff * 4; +- int i, j, k, port; +- u_int16_t mms_proto; +- +- u_int32_t *mms_chunkLenLV = (u_int32_t *)(data + MMS_SRV_CHUNKLENLV_OFFSET); +- u_int32_t *mms_chunkLenLM = (u_int32_t *)(data + MMS_SRV_CHUNKLENLM_OFFSET); +- u_int32_t *mms_messageLength = (u_int32_t *)(data + MMS_SRV_MESSAGELENGTH_OFFSET); +- +- int zero_padding; +- +- char buffer[28]; /* "\\255.255.255.255\UDP\65635" * 2 (for unicode) */ +- char unicode_buffer[75]; /* 27*2 (unicode) + 20 + 1 */ +- char proto_string[6]; +- +- MUST_BE_LOCKED(&ip_mms_lock); +- +- /* what was the protocol again ? */ +- mms_proto = expect->tuple.dst.protonum; +- sprintf(proto_string, "%u", mms_proto); +- +- DEBUGP("ip_nat_mms: mms_data_fixup: info (seq %u + %u) in %u, proto %s\n", +- expect->seq, ct_mms_info->len, ntohl(tcph->seq), +- mms_proto == IPPROTO_UDP ? "UDP" +- : mms_proto == IPPROTO_TCP ? "TCP":proto_string); +- +- newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- +- /* Alter conntrack's expectations. */ +- t = expect->tuple; +- t.dst.ip = newip; +- for (port = ct_mms_info->port; port != 0; port++) { +- t.dst.u.tcp.port = htons(port); +- if (ip_conntrack_change_expect(expect, &t) == 0) { +- DEBUGP("ip_nat_mms: mms_data_fixup: using port %d\n", port); +- break; +- } +- } +- +- if(port == 0) +- return 0; +- +- sprintf(buffer, "\\\\%u.%u.%u.%u\\%s\\%u", +- NIPQUAD(newip), +- expect->tuple.dst.protonum == IPPROTO_UDP ? "UDP" +- : expect->tuple.dst.protonum == IPPROTO_TCP ? "TCP":proto_string, +- port); +- DEBUGP("ip_nat_mms: new unicode string=%s\n", buffer); +- +- memset(unicode_buffer, 0, sizeof(char)*75); +- +- for (i=0; i<strlen(buffer); ++i) +- *(unicode_buffer+i*2)=*(buffer+i); +- +- DEBUGP("ip_nat_mms: mms_data_fixup: padding: %u len: %u\n", ct_mms_info->padding, ct_mms_info->len); +- DEBUGP("ip_nat_mms: mms_data_fixup: offset: %u\n", MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len); +- DUMP_BYTES(data+MMS_SRV_UNICODE_STRING_OFFSET, 60); +- +- /* add end of packet to it */ +- for (j=0; j<ct_mms_info->padding; ++j) { +- DEBUGP("ip_nat_mms: mms_data_fixup: i=%u j=%u byte=%u\n", +- i, j, (u8)*(data+MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len+j)); +- *(unicode_buffer+i*2+j) = *(data+MMS_SRV_UNICODE_STRING_OFFSET+ct_mms_info->len+j); +- } +- +- /* pad with zeroes at the end ? see explanation of weird math below */ +- zero_padding = (8-(strlen(buffer)*2 + ct_mms_info->padding + 4)%8)%8; +- for (k=0; k<zero_padding; ++k) +- *(unicode_buffer+i*2+j+k)= (char)0; +- +- DEBUGP("ip_nat_mms: mms_data_fixup: zero_padding = %u\n", zero_padding); +- DEBUGP("ip_nat_mms: original=> chunkLenLV=%u chunkLenLM=%u messageLength=%u\n", +- *mms_chunkLenLV, *mms_chunkLenLM, *mms_messageLength); +- +- /* explanation, before I forget what I did: +- strlen(buffer)*2 + ct_mms_info->padding + 4 must be divisable by 8; +- divide by 8 and add 3 to compute the mms_chunkLenLM field, +- but note that things may have to be padded with zeroes to align by 8 +- bytes, hence we add 7 and divide by 8 to get the correct length */ +- *mms_chunkLenLM = (u_int32_t) (3+(strlen(buffer)*2+ct_mms_info->padding+11)/8); +- *mms_chunkLenLV = *mms_chunkLenLM+2; +- *mms_messageLength = *mms_chunkLenLV*8; +- +- DEBUGP("ip_nat_mms: modified=> chunkLenLV=%u chunkLenLM=%u messageLength=%u\n", +- *mms_chunkLenLV, *mms_chunkLenLM, *mms_messageLength); +- +- ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, +- expect->seq - ntohl(tcph->seq), +- ct_mms_info->len + ct_mms_info->padding, unicode_buffer, +- strlen(buffer)*2 + ct_mms_info->padding + zero_padding); +- DUMP_BYTES(unicode_buffer, 60); +- +- return 1; +-} +- +-static unsigned int +-mms_nat_expected(struct sk_buff **pskb, +- unsigned int hooknum, +- struct ip_conntrack *ct, +- struct ip_nat_info *info) +-{ +- struct ip_nat_multi_range mr; +- u_int32_t newdstip, newsrcip, newip; +- +- struct ip_conntrack *master = master_ct(ct); +- +- IP_NF_ASSERT(info); +- IP_NF_ASSERT(master); +- +- IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum)))); +- +- DEBUGP("ip_nat_mms: mms_nat_expected: We have a connection!\n"); +- +- newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; +- newsrcip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; +- DEBUGP("ip_nat_mms: mms_nat_expected: hook %s: newsrc->newdst %u.%u.%u.%u->%u.%u.%u.%u\n", +- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" +- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" +- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???", +- NIPQUAD(newsrcip), NIPQUAD(newdstip)); +- +- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) +- newip = newsrcip; +- else +- newip = newdstip; +- +- DEBUGP("ip_nat_mms: mms_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip)); +- +- mr.rangesize = 1; +- /* We don't want to manip the per-protocol, just the IPs. */ +- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; +- mr.range[0].min_ip = mr.range[0].max_ip = newip; +- +- return ip_nat_setup_info(ct, &mr, hooknum); +-} +- +- +-static unsigned int mms_nat_help(struct ip_conntrack *ct, +- struct ip_conntrack_expect *exp, +- struct ip_nat_info *info, +- enum ip_conntrack_info ctinfo, +- unsigned int hooknum, +- struct sk_buff **pskb) +-{ +- struct iphdr *iph = (*pskb)->nh.iph; +- struct tcphdr *tcph = (void *) iph + iph->ihl * 4; +- unsigned int datalen; +- int dir; +- struct ip_ct_mms_expect *ct_mms_info; +- +- if (!exp) +- DEBUGP("ip_nat_mms: no exp!!"); +- +- ct_mms_info = &exp->help.exp_mms_info; +- +- /* Only mangle things once: original direction in POST_ROUTING +- and reply direction on PRE_ROUTING. */ +- dir = CTINFO2DIR(ctinfo); +- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) +- ||(hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) { +- DEBUGP("ip_nat_mms: mms_nat_help: not touching dir %s at hook %s\n", +- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", +- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" +- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" +- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); +- return NF_ACCEPT; +- } +- DEBUGP("ip_nat_mms: mms_nat_help: beyond not touching (dir %s at hook %s)\n", +- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", +- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" +- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" +- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); +- +- datalen = (*pskb)->len - iph->ihl * 4 - tcph->doff * 4; +- +- DEBUGP("ip_nat_mms: mms_nat_help: %u+%u=%u %u %u\n", exp->seq, ct_mms_info->len, +- exp->seq + ct_mms_info->len, +- ntohl(tcph->seq), +- ntohl(tcph->seq) + datalen); +- +- LOCK_BH(&ip_mms_lock); +- /* Check wether the whole IP/proto/port pattern is carried in the payload */ +- if (between(exp->seq + ct_mms_info->len, +- ntohl(tcph->seq), +- ntohl(tcph->seq) + datalen)) { +- if (!mms_data_fixup(ct_mms_info, ct, pskb, ctinfo, exp)) { +- UNLOCK_BH(&ip_mms_lock); +- return NF_DROP; +- } +- } else { +- /* Half a match? This means a partial retransmisison. +- It's a cracker being funky. */ +- if (net_ratelimit()) { +- printk("ip_nat_mms: partial packet %u/%u in %u/%u\n", +- exp->seq, ct_mms_info->len, +- ntohl(tcph->seq), +- ntohl(tcph->seq) + datalen); +- } +- UNLOCK_BH(&ip_mms_lock); +- return NF_DROP; +- } +- UNLOCK_BH(&ip_mms_lock); +- +- return NF_ACCEPT; +-} +- +-static struct ip_nat_helper mms[MAX_PORTS]; +-static char mms_names[MAX_PORTS][10]; +- +-/* Not __exit: called from init() */ +-static void fini(void) +-{ +- int i; +- +- for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { +- DEBUGP("ip_nat_mms: unregistering helper for port %d\n", ports[i]); +- ip_nat_helper_unregister(&mms[i]); +- } +-} +- +-static int __init init(void) +-{ +- int i, ret = 0; +- char *tmpname; +- +- if (ports[0] == 0) +- ports[0] = MMS_PORT; +- +- for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { +- +- memset(&mms[i], 0, sizeof(struct ip_nat_helper)); +- +- mms[i].tuple.dst.protonum = IPPROTO_TCP; +- mms[i].tuple.src.u.tcp.port = htons(ports[i]); +- mms[i].mask.dst.protonum = 0xFFFF; +- mms[i].mask.src.u.tcp.port = 0xFFFF; +- mms[i].help = mms_nat_help; +- mms[i].me = THIS_MODULE; +- mms[i].flags = 0; +- mms[i].expect = mms_nat_expected; +- +- tmpname = &mms_names[i][0]; +- if (ports[i] == MMS_PORT) +- sprintf(tmpname, "mms"); +- else +- sprintf(tmpname, "mms-%d", i); +- mms[i].name = tmpname; +- +- DEBUGP("ip_nat_mms: register helper for port %d\n", +- ports[i]); +- ret = ip_nat_helper_register(&mms[i]); +- +- if (ret) { +- printk("ip_nat_mms: error registering " +- "helper for port %d\n", ports[i]); +- fini(); +- return ret; +- } +- ports_c++; +- } +- +- return ret; +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_nat_pptp.c linux.stock/net/ipv4/netfilter/ip_nat_pptp.c +--- linux/net/ipv4/netfilter/ip_nat_pptp.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_nat_pptp.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,412 +0,0 @@ +-/* +- * ip_nat_pptp.c - Version 1.11 +- * +- * NAT support for PPTP (Point to Point Tunneling Protocol). +- * PPTP is a a protocol for creating virtual private networks. +- * It is a specification defined by Microsoft and some vendors +- * working with Microsoft. PPTP is built on top of a modified +- * version of the Internet Generic Routing Encapsulation Protocol. +- * GRE is defined in RFC 1701 and RFC 1702. Documentation of +- * PPTP can be found in RFC 2637 +- * +- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> +- * +- * Development of this code funded by Astaro AG (http://www.astaro.com/) +- * +- * TODO: - Support for multiple calls within one session +- * (needs netfilter newnat code) +- * - NAT to a unique tuple, not to TCP source port +- * (needs netfilter tuple reservation) +- * - Support other NAT scenarios than SNAT of PNS +- * +- */ +- +-#include <linux/config.h> +-#include <linux/module.h> +-#include <linux/ip.h> +-#include <linux/tcp.h> +-#include <net/tcp.h> +-#include <linux/netfilter_ipv4/ip_nat.h> +-#include <linux/netfilter_ipv4/ip_nat_rule.h> +-#include <linux/netfilter_ipv4/ip_nat_helper.h> +-#include <linux/netfilter_ipv4/ip_nat_pptp.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h> +-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h> +- +-MODULE_LICENSE("GPL"); +-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); +-MODULE_DESCRIPTION("Netfilter NAT helper module for PPTP"); +- +- +-#define DEBUGP(format, args...) +- +-static unsigned int +-pptp_nat_expected(struct sk_buff **pskb, +- unsigned int hooknum, +- struct ip_conntrack *ct, +- struct ip_nat_info *info) +-{ +- struct ip_conntrack *master = master_ct(ct); +- struct ip_nat_multi_range mr; +- struct ip_ct_pptp_master *ct_pptp_info; +- struct ip_nat_pptp *nat_pptp_info; +- u_int32_t newsrcip, newdstip, newcid; +- int ret; +- +- IP_NF_ASSERT(info); +- IP_NF_ASSERT(master); +- IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum)))); +- +- DEBUGP("we have a connection!\n"); +- +- LOCK_BH(&ip_pptp_lock); +- ct_pptp_info = &master->help.ct_pptp_info; +- nat_pptp_info = &master->nat.help.nat_pptp_info; +- +- /* need to alter GRE tuple because conntrack expectfn() used 'wrong' +- * (unmanipulated) values */ +- if (hooknum == NF_IP_PRE_ROUTING) { +- DEBUGP("completing tuples with NAT info \n"); +- /* we can do this, since we're unconfirmed */ +- if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.gre.key == +- htonl(ct_pptp_info->pac_call_id)) { +- /* assume PNS->PAC */ +- ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key = +- htonl(nat_pptp_info->pns_call_id); +-// ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.gre.key = +-// htonl(nat_pptp_info->pac_call_id); +- ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key = +- htonl(nat_pptp_info->pns_call_id); +- } else { +- /* assume PAC->PNS */ +- DEBUGP("WRONG DIRECTION\n"); +- ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key = +- htonl(nat_pptp_info->pac_call_id); +- ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key = +- htonl(nat_pptp_info->pns_call_id); +- } +- } +- +- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) { +- newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; +- newcid = htonl(master->nat.help.nat_pptp_info.pac_call_id); +- +- mr.rangesize = 1; +- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS | IP_NAT_RANGE_PROTO_SPECIFIED; +- mr.range[0].min_ip = mr.range[0].max_ip = newdstip; +- mr.range[0].min = mr.range[0].max = +- ((union ip_conntrack_manip_proto ) { newcid }); +- DEBUGP("change dest ip to %u.%u.%u.%u\n", +- NIPQUAD(newdstip)); +- DEBUGP("change dest key to 0x%x\n", ntohl(newcid)); +- ret = ip_nat_setup_info(ct, &mr, hooknum); +- } else { +- newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- /* nat_multi_range is in network byte order, and GRE tuple +- * is 32 bits, not 16 like callID */ +- newcid = htonl(master->help.ct_pptp_info.pns_call_id); +- +- mr.rangesize = 1; +- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS +- |IP_NAT_RANGE_PROTO_SPECIFIED; +- mr.range[0].min_ip = mr.range[0].max_ip = newsrcip; +- mr.range[0].min = mr.range[0].max = +- ((union ip_conntrack_manip_proto ) { newcid }); +- DEBUGP("change src ip to %u.%u.%u.%u\n", +- NIPQUAD(newsrcip)); +- DEBUGP("change 'src' key to 0x%x\n", ntohl(newcid)); +- ret = ip_nat_setup_info(ct, &mr, hooknum); +- } +- +- UNLOCK_BH(&ip_pptp_lock); +- +- return ret; +- +-} +- +-/* outbound packets == from PNS to PAC */ +-static inline unsigned int +-pptp_outbound_pkt(struct tcphdr *tcph, struct pptp_pkt_hdr *pptph, +- size_t datalen, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo, +- struct ip_conntrack_expect *exp) +- +-{ +- struct PptpControlHeader *ctlh; +- union pptp_ctrl_union pptpReq; +- struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info; +- struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info; +- +- u_int16_t msg, *cid = NULL, new_callid; +- +- ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph)); +- pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh)); +- +- new_callid = htons(ct_pptp_info->pns_call_id); +- +- switch (msg = ntohs(ctlh->messageType)) { +- case PPTP_OUT_CALL_REQUEST: +- cid = &pptpReq.ocreq->callID; +- +- /* save original call ID in nat_info */ +- nat_pptp_info->pns_call_id = ct_pptp_info->pns_call_id; +- +- new_callid = tcph->source; +- /* save new call ID in ct info */ +- ct_pptp_info->pns_call_id = ntohs(new_callid); +- break; +- case PPTP_IN_CALL_REPLY: +- cid = &pptpReq.icreq->callID; +- break; +- case PPTP_CALL_CLEAR_REQUEST: +- cid = &pptpReq.clrreq->callID; +- break; +- case PPTP_CALL_DISCONNECT_NOTIFY: +- cid = &pptpReq.disc->callID; +- break; +- +- default: +- DEBUGP("unknown outbound packet 0x%04x:%s\n", msg, +- (msg <= PPTP_MSG_MAX)? strMName[msg]:strMName[0]); +- /* fall through */ +- +- case PPTP_SET_LINK_INFO: +- /* only need to NAT in case PAC is behind NAT box */ +- case PPTP_START_SESSION_REQUEST: +- case PPTP_START_SESSION_REPLY: +- case PPTP_STOP_SESSION_REQUEST: +- case PPTP_STOP_SESSION_REPLY: +- case PPTP_ECHO_REQUEST: +- case PPTP_ECHO_REPLY: +- /* no need to alter packet */ +- return NF_ACCEPT; +- } +- +- IP_NF_ASSERT(cid); +- +- DEBUGP("altering call id from 0x%04x to 0x%04x\n", +- ntohs(*cid), ntohs(new_callid)); +- /* mangle packet */ +- tcph->check = ip_nat_cheat_check(*cid^0xFFFF, +- new_callid, tcph->check); +- *cid = new_callid; +- +- return NF_ACCEPT; +-} +- +-/* inbound packets == from PAC to PNS */ +-static inline unsigned int +-pptp_inbound_pkt(struct tcphdr *tcph, struct pptp_pkt_hdr *pptph, +- size_t datalen, +- struct ip_conntrack *ct, +- enum ip_conntrack_info ctinfo, +- struct ip_conntrack_expect *oldexp) +-{ +- struct PptpControlHeader *ctlh; +- union pptp_ctrl_union pptpReq; +- struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info; +- struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info; +- +- u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL; +- u_int32_t old_dst_ip; +- +- struct ip_conntrack_tuple t; +- +- ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph)); +- pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh)); +- +- new_pcid = htons(nat_pptp_info->pns_call_id); +- +- switch (msg = ntohs(ctlh->messageType)) { +- case PPTP_OUT_CALL_REPLY: +- pcid = &pptpReq.ocack->peersCallID; +- cid = &pptpReq.ocack->callID; +- if (!oldexp) { +- DEBUGP("outcall but no expectation\n"); +- break; +- } +- old_dst_ip = oldexp->tuple.dst.ip; +- t = oldexp->tuple; +- +- /* save original PAC call ID in nat_info */ +- nat_pptp_info->pac_call_id = ct_pptp_info->pac_call_id; +- +- /* store new callID in ct_info, so conntrack works */ +- //ct_pptp_info->pac_call_id = ntohs(tcph->source); +- //new_cid = htons(ct_pptp_info->pac_call_id); +- +- /* alter expectation */ +- if (t.dst.ip == ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip) { +- /* expectation for PNS->PAC direction */ +- t.dst.u.gre.key = htonl(ct_pptp_info->pac_call_id); +- t.src.u.gre.key = htonl(nat_pptp_info->pns_call_id); +- } else { +- /* expectation for PAC->PNS direction */ +- t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- DEBUGP("EXPECTATION IN WRONG DIRECTION!!!\n"); +- } +- +- if (!ip_conntrack_change_expect(oldexp, &t)) { +- DEBUGP("successfully changed expect\n"); +- } else { +- DEBUGP("can't change expect\n"); +- } +- ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_orig, &t); +- /* reply keymap */ +- t.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; +- t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- t.src.u.gre.key = htonl(nat_pptp_info->pac_call_id); +- t.dst.u.gre.key = htonl(ct_pptp_info->pns_call_id); +- ip_ct_gre_keymap_change(oldexp->proto.gre.keymap_reply, &t); +- +- break; +- case PPTP_IN_CALL_CONNECT: +- pcid = &pptpReq.iccon->peersCallID; +- if (!oldexp) +- break; +- old_dst_ip = oldexp->tuple.dst.ip; +- t = oldexp->tuple; +- +- /* alter expectation, no need for callID */ +- if (t.dst.ip == ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip) { +- /* expectation for PNS->PAC direction */ +- t.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- } else { +- /* expectation for PAC->PNS direction */ +- t.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; +- } +- +- if (!ip_conntrack_change_expect(oldexp, &t)) { +- DEBUGP("successfully changed expect\n"); +- } else { +- DEBUGP("can't change expect\n"); +- } +- break; +- case PPTP_IN_CALL_REQUEST: +- /* only need to nat in case PAC is behind NAT box */ +- break; +- case PPTP_WAN_ERROR_NOTIFY: +- pcid = &pptpReq.wanerr->peersCallID; +- break; +- default: +- DEBUGP("unknown inbound packet %s\n", +- (msg <= PPTP_MSG_MAX)? strMName[msg]:strMName[0]); +- /* fall through */ +- +- case PPTP_START_SESSION_REQUEST: +- case PPTP_START_SESSION_REPLY: +- case PPTP_STOP_SESSION_REQUEST: +- case PPTP_ECHO_REQUEST: +- case PPTP_ECHO_REPLY: +- /* no need to alter packet */ +- return NF_ACCEPT; +- } +- +- /* mangle packet */ +- IP_NF_ASSERT(pcid); +- DEBUGP("altering peer call id from 0x%04x to 0x%04x\n", +- ntohs(*pcid), ntohs(new_pcid)); +- tcph->check = ip_nat_cheat_check(*pcid^0xFFFF, +- new_pcid, tcph->check); +- *pcid = new_pcid; +- +- if (new_cid) { +- IP_NF_ASSERT(cid); +- DEBUGP("altering call id from 0x%04x to 0x%04x\n", +- ntohs(*cid), ntohs(new_cid)); +- tcph->check = ip_nat_cheat_check(*cid^0xFFFF, +- new_cid, tcph->check); +- *cid = new_cid; +- } +- +- /* great, at least we don't need to resize packets */ +- return NF_ACCEPT; +-} +- +- +-static unsigned int tcp_help(struct ip_conntrack *ct, +- struct ip_conntrack_expect *exp, +- struct ip_nat_info *info, +- enum ip_conntrack_info ctinfo, +- unsigned int hooknum, struct sk_buff **pskb) +-{ +- struct iphdr *iph = (*pskb)->nh.iph; +- struct tcphdr *tcph = (void *) iph + iph->ihl*4; +- unsigned int datalen = (*pskb)->len - iph->ihl*4 - tcph->doff*4; +- struct pptp_pkt_hdr *pptph; +- void *datalimit; +- +- int dir; +- +- DEBUGP("entering\n"); +- +- /* Only mangle things once: original direction in POST_ROUTING +- and reply direction on PRE_ROUTING. */ +- dir = CTINFO2DIR(ctinfo); +- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) +- || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) { +- DEBUGP("Not touching dir %s at hook %s\n", +- dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY", +- hooknum == NF_IP_POST_ROUTING ? "POSTROUTING" +- : hooknum == NF_IP_PRE_ROUTING ? "PREROUTING" +- : hooknum == NF_IP_LOCAL_OUT ? "OUTPUT" : "???"); +- return NF_ACCEPT; +- } +- +- /* if packet is too small, just skip it */ +- if (datalen < sizeof(struct pptp_pkt_hdr)+ +- sizeof(struct PptpControlHeader)) { +- DEBUGP("pptp packet too short\n"); +- return NF_ACCEPT; +- } +- +- +- pptph = (struct pptp_pkt_hdr *) ((void *)tcph + tcph->doff*4); +- datalimit = (void *) pptph + datalen; +- +- LOCK_BH(&ip_pptp_lock); +- +- if (dir == IP_CT_DIR_ORIGINAL) { +- /* reuqests sent by client to server (PNS->PAC) */ +- pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo, exp); +- } else { +- /* response from the server to the client (PAC->PNS) */ +- pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo, exp); +- } +- +- UNLOCK_BH(&ip_pptp_lock); +- +- return NF_ACCEPT; +-} +- +-/* nat helper struct for control connection */ +-static struct ip_nat_helper pptp_tcp_helper = { +- { NULL, NULL }, +- "pptp", IP_NAT_HELPER_F_ALWAYS, THIS_MODULE, +- { { 0, { tcp: { port: __constant_htons(PPTP_CONTROL_PORT) } } }, +- { 0, { 0 }, IPPROTO_TCP } }, +- { { 0, { tcp: { port: 0xFFFF } } }, +- { 0, { 0 }, 0xFFFF } }, +- tcp_help, pptp_nat_expected }; +- +- +-static int __init init(void) +-{ +- DEBUGP("init_module\n" ); +- +- if (ip_nat_helper_register(&pptp_tcp_helper)) +- return -EIO; +- +- return 0; +-} +- +-static void __exit fini(void) +-{ +- DEBUGP("cleanup_module\n" ); +- ip_nat_helper_unregister(&pptp_tcp_helper); +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_nat_proto_gre.c linux.stock/net/ipv4/netfilter/ip_nat_proto_gre.c +--- linux/net/ipv4/netfilter/ip_nat_proto_gre.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_nat_proto_gre.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,212 +0,0 @@ +-/* +- * ip_nat_proto_gre.c - Version 1.11 +- * +- * NAT protocol helper module for GRE. +- * +- * GRE is a generic encapsulation protocol, which is generally not very +- * suited for NAT, as it has no protocol-specific part as port numbers. +- * +- * It has an optional key field, which may help us distinguishing two +- * connections between the same two hosts. +- * +- * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784 +- * +- * PPTP is built on top of a modified version of GRE, and has a mandatory +- * field called "CallID", which serves us for the same purpose as the key +- * field in plain GRE. +- * +- * Documentation about PPTP can be found in RFC 2637 +- * +- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> +- * +- * Development of this code funded by Astaro AG (http://www.astaro.com/) +- * +- */ +- +-#include <linux/config.h> +-#include <linux/module.h> +-#include <linux/ip.h> +-#include <linux/netfilter_ipv4/ip_nat.h> +-#include <linux/netfilter_ipv4/ip_nat_rule.h> +-#include <linux/netfilter_ipv4/ip_nat_protocol.h> +-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h> +- +-MODULE_LICENSE("GPL"); +-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); +-MODULE_DESCRIPTION("Netfilter NAT protocol helper module for GRE"); +- +-#define DEBUGP(x, args...) +- +-/* is key in given range between min and max */ +-static int +-gre_in_range(const struct ip_conntrack_tuple *tuple, +- enum ip_nat_manip_type maniptype, +- const union ip_conntrack_manip_proto *min, +- const union ip_conntrack_manip_proto *max) +-{ +- return ntohl(tuple->src.u.gre.key) >= ntohl(min->gre.key) +- && ntohl(tuple->src.u.gre.key) <= ntohl(max->gre.key); +-} +- +-/* generate unique tuple ... */ +-static int +-gre_unique_tuple(struct ip_conntrack_tuple *tuple, +- const struct ip_nat_range *range, +- enum ip_nat_manip_type maniptype, +- const struct ip_conntrack *conntrack) +-{ +- u_int32_t min, i, range_size; +- u_int32_t key = 0, *keyptr; +- +- if (maniptype == IP_NAT_MANIP_SRC) +- keyptr = &tuple->src.u.gre.key; +- else +- keyptr = &tuple->dst.u.gre.key; +- +- if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { +- +- switch (tuple->dst.u.gre.version) { +- case 0: +- DEBUGP("NATing GRE version 0 (ct=%p)\n", +- conntrack); +- min = 1; +- range_size = 0xffffffff; +- break; +- case GRE_VERSION_PPTP: +- DEBUGP("%p: NATing GRE PPTP\n", +- conntrack); +- min = 1; +- range_size = 0xffff; +- break; +- default: +- printk(KERN_WARNING "nat_gre: unknown GRE version\n"); +- return 0; +- break; +- } +- +- } else { +- min = ntohl(range->min.gre.key); +- range_size = ntohl(range->max.gre.key) - min + 1; +- } +- +- DEBUGP("min = %u, range_size = %u\n", min, range_size); +- +- for (i = 0; i < range_size; i++, key++) { +- *keyptr = htonl(min + key % range_size); +- if (!ip_nat_used_tuple(tuple, conntrack)) +- return 1; +- } +- +- DEBUGP("%p: no NAT mapping\n", conntrack); +- +- return 0; +-} +- +-/* manipulate a GRE packet according to maniptype */ +-static void +-gre_manip_pkt(struct iphdr *iph, size_t len, +- const struct ip_conntrack_manip *manip, +- enum ip_nat_manip_type maniptype) +-{ +- struct gre_hdr *greh = (struct gre_hdr *)((u_int32_t *)iph+iph->ihl); +- struct gre_hdr_pptp *pgreh = (struct gre_hdr_pptp *) greh; +- +- /* we only have destination manip of a packet, since 'source key' +- * is not present in the packet itself */ +- if (maniptype == IP_NAT_MANIP_DST) { +- /* key manipulation is always dest */ +- switch (greh->version) { +- case 0: +- if (!greh->key) { +- DEBUGP("can't nat GRE w/o key\n"); +- break; +- } +- if (greh->csum) { +- *(gre_csum(greh)) = +- ip_nat_cheat_check(~*(gre_key(greh)), +- manip->u.gre.key, +- *(gre_csum(greh))); +- } +- *(gre_key(greh)) = manip->u.gre.key; +- break; +- case GRE_VERSION_PPTP: +- DEBUGP("call_id -> 0x%04x\n", +- ntohl(manip->u.gre.key)); +- pgreh->call_id = htons(ntohl(manip->u.gre.key)); +- break; +- default: +- DEBUGP("can't nat unknown GRE version\n"); +- break; +- } +- } +-} +- +-/* print out a nat tuple */ +-static unsigned int +-gre_print(char *buffer, +- const struct ip_conntrack_tuple *match, +- const struct ip_conntrack_tuple *mask) +-{ +- unsigned int len = 0; +- +- if (mask->dst.u.gre.version) +- len += sprintf(buffer + len, "version=%d ", +- ntohs(match->dst.u.gre.version)); +- +- if (mask->dst.u.gre.protocol) +- len += sprintf(buffer + len, "protocol=0x%x ", +- ntohs(match->dst.u.gre.protocol)); +- +- if (mask->src.u.gre.key) +- len += sprintf(buffer + len, "srckey=0x%x ", +- ntohl(match->src.u.gre.key)); +- +- if (mask->dst.u.gre.key) +- len += sprintf(buffer + len, "dstkey=0x%x ", +- ntohl(match->src.u.gre.key)); +- +- return len; +-} +- +-/* print a range of keys */ +-static unsigned int +-gre_print_range(char *buffer, const struct ip_nat_range *range) +-{ +- if (range->min.gre.key != 0 +- || range->max.gre.key != 0xFFFF) { +- if (range->min.gre.key == range->max.gre.key) +- return sprintf(buffer, "key 0x%x ", +- ntohl(range->min.gre.key)); +- else +- return sprintf(buffer, "keys 0x%u-0x%u ", +- ntohl(range->min.gre.key), +- ntohl(range->max.gre.key)); +- } else +- return 0; +-} +- +-/* nat helper struct */ +-static struct ip_nat_protocol gre = +- { { NULL, NULL }, "GRE", IPPROTO_GRE, +- gre_manip_pkt, +- gre_in_range, +- gre_unique_tuple, +- gre_print, +- gre_print_range +- }; +- +-static int __init init(void) +-{ +- if (ip_nat_protocol_register(&gre)) +- return -EIO; +- +- return 0; +-} +- +-static void __exit fini(void) +-{ +- ip_nat_protocol_unregister(&gre); +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_nat_standalone.c linux.stock/net/ipv4/netfilter/ip_nat_standalone.c +--- linux/net/ipv4/netfilter/ip_nat_standalone.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_nat_standalone.c 2004-05-09 04:13:03.000000000 -0400 +@@ -37,7 +37,11 @@ + #include <linux/netfilter_ipv4/ip_conntrack_core.h> + #include <linux/netfilter_ipv4/listhelp.h> + ++#if 0 ++#define DEBUGP printk ++#else + #define DEBUGP(format, args...) ++#endif + + #define HOOKNAME(hooknum) ((hooknum) == NF_IP_POST_ROUTING ? "POST_ROUTING" \ + : ((hooknum) == NF_IP_PRE_ROUTING ? "PRE_ROUTING" \ +@@ -354,6 +358,5 @@ + EXPORT_SYMBOL(ip_nat_helper_unregister); + EXPORT_SYMBOL(ip_nat_cheat_check); + EXPORT_SYMBOL(ip_nat_mangle_tcp_packet); +-EXPORT_SYMBOL(ip_nat_mangle_udp_packet); + EXPORT_SYMBOL(ip_nat_used_tuple); + MODULE_LICENSE("GPL"); +diff -Nurb linux/net/ipv4/netfilter/ip_nat_tftp.c linux.stock/net/ipv4/netfilter/ip_nat_tftp.c +--- linux/net/ipv4/netfilter/ip_nat_tftp.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_nat_tftp.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,186 +0,0 @@ +-/* +- * Licensed under GNU GPL version 2 Copyright Magnus Boden <mb@ozaba.mine.nu> +- * Version: 0.0.7 +- * +- * Thu 21 Mar 2002 Harald Welte <laforge@gnumonks.org> +- * - Port to newnat API +- * +- * This module currently supports DNAT: +- * iptables -t nat -A PREROUTING -d x.x.x.x -j DNAT --to-dest x.x.x.y +- * +- * and SNAT: +- * iptables -t nat -A POSTROUTING { -j MASQUERADE , -j SNAT --to-source x.x.x.x } +- * +- * It has not been tested with +- * -j SNAT --to-source x.x.x.x-x.x.x.y since I only have one external ip +- * If you do test this please let me know if it works or not. +- * +- */ +- +-#include <linux/module.h> +-#include <linux/netfilter_ipv4.h> +-#include <linux/ip.h> +-#include <linux/udp.h> +- +-#include <linux/netfilter.h> +-#include <linux/netfilter_ipv4/ip_tables.h> +-#include <linux/netfilter_ipv4/ip_conntrack_helper.h> +-#include <linux/netfilter_ipv4/ip_conntrack_tftp.h> +-#include <linux/netfilter_ipv4/ip_nat_helper.h> +-#include <linux/netfilter_ipv4/ip_nat_rule.h> +- +-MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>"); +-MODULE_DESCRIPTION("Netfilter NAT helper for tftp"); +-MODULE_LICENSE("GPL"); +- +-#define MAX_PORTS 8 +- +-static int ports[MAX_PORTS]; +-static int ports_c = 0; +-#ifdef MODULE_PARM +-MODULE_PARM(ports,"1-" __MODULE_STRING(MAX_PORTS) "i"); +-MODULE_PARM_DESC(ports, "port numbers of tftp servers"); +-#endif +- +-#define DEBUGP(format, args...) +-static unsigned int +-tftp_nat_help(struct ip_conntrack *ct, +- struct ip_conntrack_expect *exp, +- struct ip_nat_info *info, +- enum ip_conntrack_info ctinfo, +- unsigned int hooknum, +- struct sk_buff **pskb) +-{ +- int dir = CTINFO2DIR(ctinfo); +- struct iphdr *iph = (*pskb)->nh.iph; +- struct udphdr *udph = (void *)iph + iph->ihl * 4; +- struct tftphdr *tftph = (void *)udph + 8; +- struct ip_conntrack_tuple repl; +- +- if (!((hooknum == NF_IP_POST_ROUTING && dir == IP_CT_DIR_ORIGINAL) +- || (hooknum == NF_IP_PRE_ROUTING && dir == IP_CT_DIR_REPLY))) +- return NF_ACCEPT; +- +- if (!exp) { +- DEBUGP("no conntrack expectation to modify\n"); +- return NF_ACCEPT; +- } +- +- switch (ntohs(tftph->opcode)) { +- /* RRQ and WRQ works the same way */ +- case TFTP_OPCODE_READ: +- case TFTP_OPCODE_WRITE: +- repl = ct->tuplehash[IP_CT_DIR_REPLY].tuple; +- DEBUGP(""); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); +- DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); +- DEBUGP("expecting: "); +- DUMP_TUPLE_RAW(&repl); +- DUMP_TUPLE_RAW(&exp->mask); +- ip_conntrack_change_expect(exp, &repl); +- break; +- default: +- DEBUGP("Unknown opcode\n"); +- } +- +- return NF_ACCEPT; +-} +- +-static unsigned int +-tftp_nat_expected(struct sk_buff **pskb, +- unsigned int hooknum, +- struct ip_conntrack *ct, +- struct ip_nat_info *info) +-{ +- const struct ip_conntrack *master = ct->master->expectant; +- const struct ip_conntrack_tuple *orig = +- &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple; +- struct ip_nat_multi_range mr; +- +- IP_NF_ASSERT(info); +- IP_NF_ASSERT(master); +- IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum)))); +- +- mr.rangesize = 1; +- mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; +- +- if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) { +- mr.range[0].min_ip = mr.range[0].max_ip = orig->dst.ip; +- DEBUGP("orig: %u.%u.%u.%u:%u <-> %u.%u.%u.%u:%u " +- "newsrc: %u.%u.%u.%u\n", +- NIPQUAD((*pskb)->nh.iph->saddr), ntohs(udph->source), +- NIPQUAD((*pskb)->nh.iph->daddr), ntohs(udph->dest), +- NIPQUAD(orig->dst.ip)); +- } else { +- mr.range[0].min_ip = mr.range[0].max_ip = orig->src.ip; +- mr.range[0].min.udp.port = mr.range[0].max.udp.port = +- orig->src.u.udp.port; +- mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; +- +- DEBUGP("orig: %u.%u.%u.%u:%u <-> %u.%u.%u.%u:%u " +- "newdst: %u.%u.%u.%u:%u\n", +- NIPQUAD((*pskb)->nh.iph->saddr), ntohs(udph->source), +- NIPQUAD((*pskb)->nh.iph->daddr), ntohs(udph->dest), +- NIPQUAD(orig->src.ip), ntohs(orig->src.u.udp.port)); +- } +- +- return ip_nat_setup_info(ct,&mr,hooknum); +-} +- +-static struct ip_nat_helper tftp[MAX_PORTS]; +-static char tftp_names[MAX_PORTS][10]; +- +-static void fini(void) +-{ +- int i; +- +- for (i = 0 ; i < ports_c; i++) { +- DEBUGP("unregistering helper for port %d\n", ports[i]); +- ip_nat_helper_unregister(&tftp[i]); +- } +-} +- +-static int __init init(void) +-{ +- int i, ret; +- char *tmpname; +- +- if (!ports[0]) +- ports[0] = TFTP_PORT; +- +- for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { +- memset(&tftp[i], 0, sizeof(struct ip_nat_helper)); +- +- tftp[i].tuple.dst.protonum = IPPROTO_UDP; +- tftp[i].tuple.src.u.udp.port = htons(ports[i]); +- tftp[i].mask.dst.protonum = 0xFFFF; +- tftp[i].mask.src.u.udp.port = 0xFFFF; +- tftp[i].help = tftp_nat_help; +- tftp[i].flags = 0; +- tftp[i].me = THIS_MODULE; +- tftp[i].expect = tftp_nat_expected; +- +- tmpname = &tftp_names[i][0]; +- if (ports[i] == TFTP_PORT) +- sprintf(tmpname, "tftp"); +- else +- sprintf(tmpname, "tftp-%d", i); +- tftp[i].name = tmpname; +- +- DEBUGP("ip_nat_tftp: registering for port %d: name %s\n", +- ports[i], tftp[i].name); +- ret = ip_nat_helper_register(&tftp[i]); +- +- if (ret) { +- printk("ip_nat_tftp: unable to register for port %d\n", +- ports[i]); +- fini(); +- return ret; +- } +- ports_c++; +- } +- return ret; +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_pool.c linux.stock/net/ipv4/netfilter/ip_pool.c +--- linux/net/ipv4/netfilter/ip_pool.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_pool.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,328 +0,0 @@ +-/* Kernel module for IP pool management */ +- +-#include <linux/module.h> +-#include <linux/ip.h> +-#include <linux/skbuff.h> +-#include <linux/netfilter_ipv4/ip_tables.h> +-#include <linux/netfilter_ipv4/ip_pool.h> +-#include <linux/errno.h> +-#include <asm/uaccess.h> +-#include <asm/bitops.h> +-#include <linux/interrupt.h> +-#include <linux/spinlock.h> +- +-#define DP(format, args...) +- +-MODULE_LICENSE("GPL"); +- +-#define NR_POOL 16 +-static int nr_pool = NR_POOL;/* overwrite this when loading module */ +- +-struct ip_pool { +- u_int32_t first_ip; /* host byte order, included in range */ +- u_int32_t last_ip; /* host byte order, included in range */ +- void *members; /* the bitmap proper */ +- int nr_use; /* total nr. of tests through this */ +- int nr_match; /* total nr. of matches through this */ +- rwlock_t lock; +-}; +- +-static struct ip_pool *POOL; +- +-static inline struct ip_pool *lookup(ip_pool_t index) +-{ +- if (index < 0 || index >= nr_pool) { +- DP("ip_pool:lookup: bad index %d\n", index); +- return 0; +- } +- return POOL+index; +-} +- +-int ip_pool_match(ip_pool_t index, u_int32_t addr) +-{ +- struct ip_pool *pool = lookup(index); +- int res = 0; +- +- if (!pool || !pool->members) +- return 0; +- read_lock_bh(&pool->lock); +- if (pool->members) { +- if (addr >= pool->first_ip && addr <= pool->last_ip) { +- addr -= pool->first_ip; +- if (test_bit(addr, pool->members)) { +- res = 1; +-#ifdef CONFIG_IP_POOL_STATISTICS +- pool->nr_match++; +-#endif +- } +- } +-#ifdef CONFIG_IP_POOL_STATISTICS +- pool->nr_use++; +-#endif +- } +- read_unlock_bh(&pool->lock); +- return res; +-} +- +-static int pool_change(ip_pool_t index, u_int32_t addr, int isdel) +-{ +- struct ip_pool *pool; +- int res = -1; +- +- pool = lookup(index); +- if ( !pool || !pool->members +- || addr < pool->first_ip || addr > pool->last_ip) +- return -1; +- read_lock_bh(&pool->lock); +- if (pool->members && addr >= pool->first_ip && addr <= pool->last_ip) { +- addr -= pool->first_ip; +- res = isdel +- ? (0 != test_and_clear_bit(addr, pool->members)) +- : (0 != test_and_set_bit(addr, pool->members)); +- } +- read_unlock_bh(&pool->lock); +- return res; +-} +- +-int ip_pool_mod(ip_pool_t index, u_int32_t addr, int isdel) +-{ +- int res = pool_change(index,addr,isdel); +- +- if (!isdel) res = !res; +- return res; +-} +- +-static inline int bitmap_bytes(u_int32_t a, u_int32_t b) +-{ +- return 4*((((b-a+8)/8)+3)/4); +-} +- +-static inline int poolbytes(ip_pool_t index) +-{ +- struct ip_pool *pool = lookup(index); +- +- return pool ? bitmap_bytes(pool->first_ip, pool->last_ip) : 0; +-} +- +-static int setpool( +- struct sock *sk, +- int optval, +- void *user, +- unsigned int len +-) { +- struct ip_pool_request req; +- +- DP("ip_pool:setpool: optval=%d, user=%p, len=%d\n", optval, user, len); +- if (!capable(CAP_NET_ADMIN)) +- return -EPERM; +- if (optval != SO_IP_POOL) +- return -EBADF; +- if (len != sizeof(req)) +- return -EINVAL; +- if (copy_from_user(&req, user, sizeof(req)) != 0) +- return -EFAULT; +- printk("obsolete op - upgrade your ippool(8) utility.\n"); +- return -EINVAL; +-} +- +-static int getpool( +- struct sock *sk, +- int optval, +- void *user, +- int *len +-) { +- struct ip_pool_request req; +- struct ip_pool *pool; +- ip_pool_t i; +- int newbytes; +- void *newmembers; +- int res; +- +- DP("ip_pool:getpool: optval=%d, user=%p\n", optval, user); +- if (!capable(CAP_NET_ADMIN)) +- return -EINVAL; +- if (optval != SO_IP_POOL) +- return -EINVAL; +- if (*len != sizeof(req)) { +- return -EFAULT; +- } +- if (copy_from_user(&req, user, sizeof(req)) != 0) +- return -EFAULT; +- DP("ip_pool:getpool op=%d, index=%d\n", req.op, req.index); +- if (req.op < IP_POOL_BAD001) { +- printk("obsolete op - upgrade your ippool(8) utility.\n"); +- return -EFAULT; +- } +- switch(req.op) { +- case IP_POOL_HIGH_NR: +- DP("ip_pool HIGH_NR\n"); +- req.index = IP_POOL_NONE; +- for (i=0; i<nr_pool; i++) +- if (POOL[i].members) +- req.index = i; +- return copy_to_user(user, &req, sizeof(req)); +- case IP_POOL_LOOKUP: +- DP("ip_pool LOOKUP\n"); +- pool = lookup(req.index); +- if (!pool) +- return -EINVAL; +- if (!pool->members) +- return -EBADF; +- req.addr = htonl(pool->first_ip); +- req.addr2 = htonl(pool->last_ip); +- return copy_to_user(user, &req, sizeof(req)); +- case IP_POOL_USAGE: +- DP("ip_pool USE\n"); +- pool = lookup(req.index); +- if (!pool) +- return -EINVAL; +- if (!pool->members) +- return -EBADF; +- req.addr = pool->nr_use; +- req.addr2 = pool->nr_match; +- return copy_to_user(user, &req, sizeof(req)); +- case IP_POOL_TEST_ADDR: +- DP("ip_pool TEST 0x%08x\n", req.addr); +- pool = lookup(req.index); +- if (!pool) +- return -EINVAL; +- res = 0; +- read_lock_bh(&pool->lock); +- if (!pool->members) { +- DP("ip_pool TEST_ADDR no members in pool\n"); +- res = -EBADF; +- goto unlock_and_return_res; +- } +- req.addr = ntohl(req.addr); +- if (req.addr < pool->first_ip) { +- DP("ip_pool TEST_ADDR address < pool bounds\n"); +- res = -ERANGE; +- goto unlock_and_return_res; +- } +- if (req.addr > pool->last_ip) { +- DP("ip_pool TEST_ADDR address > pool bounds\n"); +- res = -ERANGE; +- goto unlock_and_return_res; +- } +- req.addr = (0 != test_bit((req.addr - pool->first_ip), +- pool->members)); +- read_unlock_bh(&pool->lock); +- return copy_to_user(user, &req, sizeof(req)); +- case IP_POOL_FLUSH: +- DP("ip_pool FLUSH not yet implemented.\n"); +- return -EBUSY; +- case IP_POOL_DESTROY: +- DP("ip_pool DESTROY not yet implemented.\n"); +- return -EBUSY; +- case IP_POOL_INIT: +- DP("ip_pool INIT 0x%08x-0x%08x\n", req.addr, req.addr2); +- pool = lookup(req.index); +- if (!pool) +- return -EINVAL; +- req.addr = ntohl(req.addr); +- req.addr2 = ntohl(req.addr2); +- if (req.addr > req.addr2) { +- DP("ip_pool INIT bad ip range\n"); +- return -EINVAL; +- } +- newbytes = bitmap_bytes(req.addr, req.addr2); +- newmembers = kmalloc(newbytes, GFP_KERNEL); +- if (!newmembers) { +- DP("ip_pool INIT out of mem for %d bytes\n", newbytes); +- return -ENOMEM; +- } +- memset(newmembers, 0, newbytes); +- write_lock_bh(&pool->lock); +- if (pool->members) { +- DP("ip_pool INIT pool %d exists\n", req.index); +- kfree(newmembers); +- res = -EBUSY; +- goto unlock_and_return_res; +- } +- pool->first_ip = req.addr; +- pool->last_ip = req.addr2; +- pool->nr_use = 0; +- pool->nr_match = 0; +- pool->members = newmembers; +- write_unlock_bh(&pool->lock); +- return 0; +- case IP_POOL_ADD_ADDR: +- DP("ip_pool ADD_ADDR 0x%08x\n", req.addr); +- req.addr = pool_change(req.index, ntohl(req.addr), 0); +- return copy_to_user(user, &req, sizeof(req)); +- case IP_POOL_DEL_ADDR: +- DP("ip_pool DEL_ADDR 0x%08x\n", req.addr); +- req.addr = pool_change(req.index, ntohl(req.addr), 1); +- return copy_to_user(user, &req, sizeof(req)); +- default: +- DP("ip_pool:getpool bad op %d\n", req.op); +- return -EINVAL; +- } +- return -EINVAL; +- +-unlock_and_return_res: +- if (pool) +- read_unlock_bh(&pool->lock); +- return res; +-} +- +-static struct nf_sockopt_ops so_pool +-= { { NULL, NULL }, PF_INET, +- SO_IP_POOL, SO_IP_POOL+1, &setpool, +- SO_IP_POOL, SO_IP_POOL+1, &getpool, +- 0, NULL }; +- +-MODULE_PARM(nr_pool, "i"); +- +-static int __init init(void) +-{ +- ip_pool_t i; +- int res; +- +- if (nr_pool < 1) { +- printk("ip_pool module init: bad nr_pool %d\n", nr_pool); +- return -EINVAL; +- } +- POOL = kmalloc(nr_pool * sizeof(*POOL), GFP_KERNEL); +- if (!POOL) { +- printk("ip_pool module init: out of memory for nr_pool %d\n", +- nr_pool); +- return -ENOMEM; +- } +- for (i=0; i<nr_pool; i++) { +- POOL[i].first_ip = 0; +- POOL[i].last_ip = 0; +- POOL[i].members = 0; +- POOL[i].nr_use = 0; +- POOL[i].nr_match = 0; +- POOL[i].lock = RW_LOCK_UNLOCKED; +- } +- res = nf_register_sockopt(&so_pool); +- DP("ip_pool:init %d pools, result %d\n", nr_pool, res); +- if (res != 0) { +- kfree(POOL); +- POOL = 0; +- } +- return res; +-} +- +-static void __exit fini(void) +-{ +- ip_pool_t i; +- +- DP("ip_pool:fini BYEBYE\n"); +- nf_unregister_sockopt(&so_pool); +- for (i=0; i<nr_pool; i++) { +- if (POOL[i].members) { +- kfree(POOL[i].members); +- POOL[i].members = 0; +- } +- } +- kfree(POOL); +- POOL = 0; +- DP("ip_pool:fini these are the famous last words\n"); +- return; +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv4/netfilter/ip_tables.c linux.stock/net/ipv4/netfilter/ip_tables.c +--- linux/net/ipv4/netfilter/ip_tables.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ip_tables.c 2004-05-09 04:13:03.000000000 -0400 +@@ -62,6 +62,11 @@ + #include <linux/netfilter_ipv4/lockhelp.h> + #include <linux/netfilter_ipv4/listhelp.h> + ++#if 0 ++/* All the better to debug you with... */ ++#define static ++#define inline ++#endif + + /* Locking is simple: we assume at worst case there will be one packet + in user context and one from bottom halves (or soft irq if Alexey's +@@ -83,6 +88,7 @@ + { + /* Size per table */ + unsigned int size; ++ /* Number of entries: FIXME. --RR */ + unsigned int number; + /* Initial number of entries. Needed for module usage count */ + unsigned int initial_entries; +@@ -106,6 +112,11 @@ + #define TABLE_OFFSET(t,p) 0 + #endif + ++#if 0 ++#define down(x) do { printk("DOWN:%u:" #x "\n", __LINE__); down(x); } while(0) ++#define down_interruptible(x) ({ int __r; printk("DOWNi:%u:" #x "\n", __LINE__); __r = down_interruptible(x); if (__r != 0) printk("ABORT-DOWNi:%u\n", __LINE__); __r; }) ++#define up(x) do { printk("UP:%u:" #x "\n", __LINE__); up(x); } while(0) ++#endif + + /* Returns whether matches rule or not. */ + static inline int +@@ -408,6 +419,12 @@ + { + void *ret; + ++#if 0 ++ duprintf("find_inlist: searching for `%s' in %s.\n", ++ name, head == &ipt_target ? "ipt_target" ++ : head == &ipt_match ? "ipt_match" ++ : head == &ipt_tables ? "ipt_tables" : "UNKNOWN"); ++#endif + + *error = down_interruptible(mutex); + if (*error != 0) +@@ -745,6 +762,8 @@ + newinfo->underflow[h] = underflows[h]; + } + ++ /* FIXME: underflows must be unconditional, standard verdicts ++ < 0 (not IPT_RETURN). --RR */ + + /* Clear counters and comefrom */ + e->counters = ((struct ipt_counters) { 0, 0 }); +@@ -957,6 +976,7 @@ + goto free_counters; + } + ++ /* FIXME: use iterator macros --RR */ + /* ... then go back and fix counters and names */ + for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ + unsigned int i; +@@ -1134,6 +1154,14 @@ + const struct ipt_counters addme[], + unsigned int *i) + { ++#if 0 ++ duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n", ++ *i, ++ (long unsigned int)e->counters.pcnt, ++ (long unsigned int)e->counters.bcnt, ++ (long unsigned int)addme[*i].pcnt, ++ (long unsigned int)addme[*i].bcnt); ++#endif + + ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt); + +@@ -1495,6 +1523,7 @@ + return 0; + } + ++ /* FIXME: Try tcp doff >> packet len against various stacks --RR */ + + #define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg)) + +@@ -1670,15 +1699,14 @@ + = { { NULL, NULL }, "icmp", &icmp_match, &icmp_checkentry, NULL }; + + #ifdef CONFIG_PROC_FS +-static inline int print_name(const char *i, ++static inline int print_name(const struct ipt_table *t, + off_t start_offset, char *buffer, int length, + off_t *pos, unsigned int *count) + { + if ((*count)++ >= start_offset) { + unsigned int namelen; + +- namelen = sprintf(buffer + *pos, "%s\n", +- i + sizeof(struct list_head)); ++ namelen = sprintf(buffer + *pos, "%s\n", t->name); + if (*pos + namelen > length) { + /* Stop iterating */ + return 1; +@@ -1696,7 +1724,7 @@ + if (down_interruptible(&ipt_mutex) != 0) + return 0; + +- LIST_FIND(&ipt_tables, print_name, void *, ++ LIST_FIND(&ipt_tables, print_name, struct ipt_table *, + offset, buffer, length, &pos, &count); + + up(&ipt_mutex); +@@ -1705,46 +1733,6 @@ + *start=(char *)((unsigned long)count-offset); + return pos; + } +- +-static int ipt_get_targets(char *buffer, char **start, off_t offset, int length) +-{ +- off_t pos = 0; +- unsigned int count = 0; +- +- if (down_interruptible(&ipt_mutex) != 0) +- return 0; +- +- LIST_FIND(&ipt_target, print_name, void *, +- offset, buffer, length, &pos, &count); +- +- up(&ipt_mutex); +- +- *start = (char *)((unsigned long)count - offset); +- return pos; +-} +- +-static int ipt_get_matches(char *buffer, char **start, off_t offset, int length) +-{ +- off_t pos = 0; +- unsigned int count = 0; +- +- if (down_interruptible(&ipt_mutex) != 0) +- return 0; +- +- LIST_FIND(&ipt_match, print_name, void *, +- offset, buffer, length, &pos, &count); +- +- up(&ipt_mutex); +- +- *start = (char *)((unsigned long)count - offset); +- return pos; +-} +- +-static struct { char *name; get_info_t *get_info; } ipt_proc_entry[] = +-{ { "ip_tables_names", ipt_get_tables }, +- { "ip_tables_targets", ipt_get_targets }, +- { "ip_tables_matches", ipt_get_matches }, +- { NULL, NULL} }; + #endif /*CONFIG_PROC_FS*/ + + static int __init init(void) +@@ -1770,20 +1758,14 @@ + #ifdef CONFIG_PROC_FS + { + struct proc_dir_entry *proc; +- int i; + +- for (i = 0; ipt_proc_entry[i].name; i++) { +- proc = proc_net_create(ipt_proc_entry[i].name, 0, +- ipt_proc_entry[i].get_info); ++ proc = proc_net_create("ip_tables_names", 0, ipt_get_tables); + if (!proc) { +- while (--i >= 0) +- proc_net_remove(ipt_proc_entry[i].name); + nf_unregister_sockopt(&ipt_sockopts); + return -ENOMEM; + } + proc->owner = THIS_MODULE; + } +- } + #endif + + printk("ip_tables: (C) 2000-2002 Netfilter core team\n"); +@@ -1794,11 +1776,7 @@ + { + nf_unregister_sockopt(&ipt_sockopts); + #ifdef CONFIG_PROC_FS +- { +- int i; +- for (i = 0; ipt_proc_entry[i].name; i++) +- proc_net_remove(ipt_proc_entry[i].name); +- } ++ proc_net_remove("ip_tables_names"); + #endif + } + +diff -Nurb linux/net/ipv4/netfilter/ipchains_core.c linux.stock/net/ipv4/netfilter/ipchains_core.c +--- linux/net/ipv4/netfilter/ipchains_core.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ipchains_core.c 2004-05-09 04:13:03.000000000 -0400 +@@ -977,10 +977,17 @@ + || ftmp->ipfw.fw_dst.s_addr!=frwl->ipfw.fw_dst.s_addr + || ftmp->ipfw.fw_smsk.s_addr!=frwl->ipfw.fw_smsk.s_addr + || ftmp->ipfw.fw_dmsk.s_addr!=frwl->ipfw.fw_dmsk.s_addr ++#if 0 ++ || ftmp->ipfw.fw_flg!=frwl->ipfw.fw_flg ++#else + || ((ftmp->ipfw.fw_flg & ~IP_FW_F_MARKABS) + != (frwl->ipfw.fw_flg & ~IP_FW_F_MARKABS)) ++#endif + || ftmp->ipfw.fw_invflg!=frwl->ipfw.fw_invflg + || ftmp->ipfw.fw_proto!=frwl->ipfw.fw_proto ++#if 0 ++ || ftmp->ipfw.fw_mark!=frwl->ipfw.fw_mark ++#endif + || ftmp->ipfw.fw_redirpt!=frwl->ipfw.fw_redirpt + || ftmp->ipfw.fw_spts[0]!=frwl->ipfw.fw_spts[0] + || ftmp->ipfw.fw_spts[1]!=frwl->ipfw.fw_spts[1] +@@ -1566,6 +1573,7 @@ + ) + { + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29) ++ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */ + int reset = 0; + #endif + struct ip_chain *i; +diff -Nurb linux/net/ipv4/netfilter/ipfwadm_core.c linux.stock/net/ipv4/netfilter/ipfwadm_core.c +--- linux/net/ipv4/netfilter/ipfwadm_core.c 2003-10-14 04:09:33.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ipfwadm_core.c 2004-05-09 04:13:03.000000000 -0400 +@@ -20,7 +20,7 @@ + * license in recognition of the original copyright. + * -- Alan Cox. + * +- * $Id: ipfwadm_core.c,v 1.1.1.4 2003/10/14 08:09:33 sparq Exp $ ++ * $Id: ipfwadm_core.c,v 1.9.2.2 2002/01/24 15:50:42 davem Exp $ + * + * Ported from BSD to Linux, + * Alan Cox 22/Nov/1994. +@@ -1205,6 +1205,7 @@ + ) + { + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29) ++ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */ + int reset = 0; + #endif + return ip_chain_procinfo(IP_FW_ACCT, buffer,start, offset,length, +@@ -1223,6 +1224,7 @@ + ) + { + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29) ++ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */ + int reset = 0; + #endif + return ip_chain_procinfo(IP_FW_IN, buffer,start,offset,length, +@@ -1237,6 +1239,7 @@ + ) + { + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29) ++ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */ + int reset = 0; + #endif + return ip_chain_procinfo(IP_FW_OUT, buffer,start,offset,length, +@@ -1251,6 +1254,7 @@ + ) + { + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,29) ++ /* FIXME: No more `atomic' read and reset. Wonderful 8-( --RR */ + int reset = 0; + #endif + return ip_chain_procinfo(IP_FW_FWD, buffer,start,offset,length, +diff -Nurb linux/net/ipv4/netfilter/ipt_ECN.c linux.stock/net/ipv4/netfilter/ipt_ECN.c +--- linux/net/ipv4/netfilter/ipt_ECN.c 2003-10-14 04:02:57.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ipt_ECN.c 2004-05-09 04:13:03.000000000 -0400 +@@ -87,8 +87,8 @@ + } + + if (diffs[0] != *tcpflags) { +- diffs[0] = diffs[0] ^ 0xFFFF; +- diffs[1] = *tcpflags; ++ diffs[0] = htons(diffs[0]) ^ 0xFFFF; ++ diffs[1] = htons(*tcpflags); + tcph->check = csum_fold(csum_partial((char *)diffs, + sizeof(diffs), + tcph->check^0xFFFF)); +diff -Nurb linux/net/ipv4/netfilter/ipt_LOG.c linux.stock/net/ipv4/netfilter/ipt_LOG.c +--- linux/net/ipv4/netfilter/ipt_LOG.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ipt_LOG.c 2004-05-09 04:13:03.000000000 -0400 +@@ -14,11 +14,15 @@ + #include <net/route.h> + #include <linux/netfilter_ipv4/ipt_LOG.h> + ++#if 0 ++#define DEBUGP printk ++#else + #define DEBUGP(format, args...) ++#endif + + struct esphdr { + __u32 spi; +-}; ++}; /* FIXME evil kludge */ + + /* Use lock to serialize, so printks don't overlap */ + static spinlock_t log_lock = SPIN_LOCK_UNLOCKED; +diff -Nurb linux/net/ipv4/netfilter/ipt_REJECT.c linux.stock/net/ipv4/netfilter/ipt_REJECT.c +--- linux/net/ipv4/netfilter/ipt_REJECT.c 2003-07-04 04:12:31.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ipt_REJECT.c 2004-05-09 04:13:03.000000000 -0400 +@@ -6,8 +6,6 @@ + #include <linux/module.h> + #include <linux/skbuff.h> + #include <linux/ip.h> +-#include <linux/udp.h> +-#include <linux/icmp.h> + #include <net/icmp.h> + #include <net/ip.h> + #include <net/tcp.h> +@@ -16,7 +14,11 @@ + #include <linux/netfilter_ipv4/ip_tables.h> + #include <linux/netfilter_ipv4/ipt_REJECT.h> + ++#if 0 ++#define DEBUGP printk ++#else + #define DEBUGP(format, args...) ++#endif + + /* If the original packet is part of a connection, but the connection + is not confirmed, our manufactured reply will not be associated +@@ -155,7 +157,6 @@ + static void send_unreach(struct sk_buff *skb_in, int code) + { + struct iphdr *iph; +- struct udphdr *udph; + struct icmphdr *icmph; + struct sk_buff *nskb; + u32 saddr; +@@ -167,6 +168,7 @@ + if (!rt) + return; + ++ /* FIXME: Use sysctl number. --RR */ + if (!xrlim_allow(&rt->u.dst, 1*HZ)) + return; + +@@ -184,19 +186,6 @@ + if (iph->frag_off&htons(IP_OFFSET)) + return; + +- /* if UDP checksum is set, verify it's correct */ +- if (iph->protocol == IPPROTO_UDP +- && skb_in->tail-(u8*)iph >= sizeof(struct udphdr)) { +- int datalen = skb_in->len - (iph->ihl<<2); +- udph = (struct udphdr *)((char *)iph + (iph->ihl<<2)); +- if (udph->check +- && csum_tcpudp_magic(iph->saddr, iph->daddr, +- datalen, IPPROTO_UDP, +- csum_partial((char *)udph, datalen, +- 0)) != 0) +- return; +- } +- + /* If we send an ICMP error to an ICMP error a mess would result.. */ + if (iph->protocol == IPPROTO_ICMP + && skb_in->tail-(u8*)iph >= sizeof(struct icmphdr)) { +@@ -271,6 +260,7 @@ + /* Copy as much of original packet as will fit */ + data = skb_put(nskb, + length - sizeof(struct iphdr) - sizeof(struct icmphdr)); ++ /* FIXME: won't work with nonlinear skbs --RR */ + memcpy(data, skb_in->nh.iph, + length - sizeof(struct iphdr) - sizeof(struct icmphdr)); + icmph->checksum = ip_compute_csum((unsigned char *)icmph, +diff -Nurb linux/net/ipv4/netfilter/ipt_ULOG.c linux.stock/net/ipv4/netfilter/ipt_ULOG.c +--- linux/net/ipv4/netfilter/ipt_ULOG.c 2003-07-04 04:12:32.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ipt_ULOG.c 2004-05-09 04:13:03.000000000 -0400 +@@ -12,7 +12,6 @@ + * module loadtime -HW + * 2002/07/07 remove broken nflog_rcv() function -HW + * 2002/08/29 fix shifted/unshifted nlgroup bug -HW +- * 2002/10/30 fix uninitialized mac_len field - <Anders K. Pedersen> + * + * Released under the terms of the GPL + * +@@ -32,7 +31,7 @@ + * Specify, after how many clock ticks (intel: 100 per second) the queue + * should be flushed even if it is not full yet. + * +- * ipt_ULOG.c,v 1.22 2002/10/30 09:07:31 laforge Exp ++ * ipt_ULOG.c,v 1.21 2002/08/29 10:54:34 laforge Exp + */ + + #include <linux/module.h> +@@ -60,7 +59,12 @@ + #define ULOG_NL_EVENT 111 /* Harald's favorite number */ + #define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */ + ++#if 0 ++#define DEBUGP(format, args...) printk(__FILE__ ":" __FUNCTION__ ":" \ ++ format, ## args) ++#else + #define DEBUGP(format, args...) ++#endif + + #define PRINTR(format, args...) do { if (net_ratelimit()) printk(format, ## args); } while (0) + +@@ -220,8 +224,7 @@ + && in->hard_header_len <= ULOG_MAC_LEN) { + memcpy(pm->mac, (*pskb)->mac.raw, in->hard_header_len); + pm->mac_len = in->hard_header_len; +- } else +- pm->mac_len = 0; ++ } + + if (in) + strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); +diff -Nurb linux/net/ipv4/netfilter/ipt_multiport.c linux.stock/net/ipv4/netfilter/ipt_multiport.c +--- linux/net/ipv4/netfilter/ipt_multiport.c 2003-07-04 04:12:32.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ipt_multiport.c 2004-05-09 04:13:03.000000000 -0400 +@@ -8,7 +8,11 @@ + #include <linux/netfilter_ipv4/ipt_multiport.h> + #include <linux/netfilter_ipv4/ip_tables.h> + ++#if 0 ++#define duprintf(format, args...) printk(format , ## args) ++#else + #define duprintf(format, args...) ++#endif + + /* Returns 1 if the port is matched by the test, 0 otherwise. */ + static inline int +@@ -74,7 +78,7 @@ + + /* Must specify proto == TCP/UDP, no unknown flags or bad count */ + return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP) +- && !(ip->invflags & IPT_INV_PROTO) ++ && !(ip->flags & IPT_INV_PROTO) + && matchsize == IPT_ALIGN(sizeof(struct ipt_multiport)) + && (multiinfo->flags == IPT_MULTIPORT_SOURCE + || multiinfo->flags == IPT_MULTIPORT_DESTINATION +diff -Nurb linux/net/ipv4/netfilter/ipt_pool.c linux.stock/net/ipv4/netfilter/ipt_pool.c +--- linux/net/ipv4/netfilter/ipt_pool.c 2003-07-04 04:12:32.000000000 -0400 ++++ linux.stock/net/ipv4/netfilter/ipt_pool.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,71 +0,0 @@ +-/* Kernel module to match an IP address pool. */ +- +-#include <linux/module.h> +-#include <linux/ip.h> +-#include <linux/skbuff.h> +- +-#include <linux/netfilter_ipv4/ip_tables.h> +-#include <linux/netfilter_ipv4/ip_pool.h> +-#include <linux/netfilter_ipv4/ipt_pool.h> +- +-static inline int match_pool( +- ip_pool_t index, +- __u32 addr, +- int inv +-) { +- if (ip_pool_match(index, ntohl(addr))) +- inv = !inv; +- return inv; +-} +- +-static int match( +- const struct sk_buff *skb, +- const struct net_device *in, +- const struct net_device *out, +- const void *matchinfo, +- int offset, +- const void *hdr, +- u_int16_t datalen, +- int *hotdrop +-) { +- const struct ipt_pool_info *info = matchinfo; +- const struct iphdr *iph = skb->nh.iph; +- +- if (info->src != IP_POOL_NONE && !match_pool(info->src, iph->saddr, +- info->flags&IPT_POOL_INV_SRC)) +- return 0; +- +- if (info->dst != IP_POOL_NONE && !match_pool(info->dst, iph->daddr, +- info->flags&IPT_POOL_INV_DST)) +- return 0; +- +- return 1; +-} +- +-static int checkentry( +- const char *tablename, +- const struct ipt_ip *ip, +- void *matchinfo, +- unsigned int matchsize, +- unsigned int hook_mask +-) { +- if (matchsize != IPT_ALIGN(sizeof(struct ipt_pool_info))) +- return 0; +- return 1; +-} +- +-static struct ipt_match pool_match +-= { { NULL, NULL }, "pool", &match, &checkentry, NULL, THIS_MODULE }; +- +-static int __init init(void) +-{ +- return ipt_register_match(&pool_match); +-} +- +-static void __exit fini(void) +-{ +- ipt_unregister_match(&pool_match); +-} +- +-module_init(init); +-module_exit(fini); +diff -Nurb linux/net/ipv6/mcast.c linux.stock/net/ipv6/mcast.c +--- linux/net/ipv6/mcast.c 2003-10-14 04:09:34.000000000 -0400 ++++ linux.stock/net/ipv6/mcast.c 2004-05-09 04:13:22.000000000 -0400 +@@ -5,7 +5,7 @@ + * Authors: + * Pedro Roque <roque@di.fc.ul.pt> + * +- * $Id: mcast.c,v 1.1.1.4 2003/10/14 08:09:34 sparq Exp $ ++ * $Id: mcast.c,v 1.38 2001/08/15 07:36:31 davem Exp $ + * + * Based on linux/ipv4/igmp.c and linux/ipv4/ip_sockglue.c + * +--- linux/include/linux/ppp-comp.h 2004-08-16 20:58:32.089851872 -0400 ++++ linux.stock/include/linux/ppp-comp.h 2004-08-16 20:59:48.217278744 -0400 +@@ -24,7 +24,7 @@ + * OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, + * OR MODIFICATIONS. + * +- * $Id: ppp-comp.h,v 1.1.1.4 2003/10/14 08:09:26 sparq Exp $ ++ * $Id: ppp-comp.h,v 1.6 1997/11/27 06:04:44 paulus Exp $ + */ + + /* |